On 2010-09-30, at 19:23, Paul Hoffman wrote: > At 7:42 PM +0100 9/30/10, Tony Finch wrote: >> At the moment the trust anchors are the ICANN x.509 self-signed >> certificate and/or the PGP keyring. What are the processes for rolling >> over these keys? How should manufacturers of software or hardware with a >> long shelf-life use them to bootstrap DNSSEC? > > When you say "ICANN x.509 self-signed certificate", do you mean the > certificate used for the https URLs in this draft? If so, it is not > self-signed at all, and in fact is not maintained by ICANN. I think that > negates your concern.
I hesitate to speak for Tony, but I presumed he was talking about the CA that was used to sign the CSR, the result being the single CRT that's hosted at <https://data.iana.org/root-anchors/> today. We are happy to host other CRTs which result from the processing of the same CSR by other Certification Authorities (we've offered to do so multiple times, publicly and privately). No doubt a Certification Authority would have requirements relating to the authenticity of anything they signed, and we're very happy to talk to them about that. Joe _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
