At 7:42 PM +0100 9/30/10, Tony Finch wrote: >At the moment the trust anchors are the ICANN x.509 self-signed >certificate and/or the PGP keyring. What are the processes for rolling >over these keys? How should manufacturers of software or hardware with a >long shelf-life use them to bootstrap DNSSEC?
When you say "ICANN x.509 self-signed certificate", do you mean the certificate used for the https URLs in this draft? If so, it is not self-signed at all, and in fact is not maintained by ICANN. I think that negates your concern. >I think it was a mistake to drop the trust anchor history draft, because >it has a reaasonably coherent answer to the problem. I think the arguments >that it is not secure enough are misguided. What we want is a way for >software to bootstrap its DNSSEC trust anchor that is better than a leap >of faith. This can perhaps be backed up with x.509 validation of the trust >anchor once DNS is up and the higher levels of the stack are able to look >up host names. There is *always* a leap of faith, even if it is just "the key that was installed initially". An external third party that is trusted before and after a key rollover is sufficient. --Paul Hoffman, Director --VPN Consortium _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
