At 7:53 PM +0000 9/30/10, Joe Abley wrote: >On 2010-09-30, at 19:23, Paul Hoffman wrote: > >> At 7:42 PM +0100 9/30/10, Tony Finch wrote: >>> At the moment the trust anchors are the ICANN x.509 self-signed >>> certificate and/or the PGP keyring. What are the processes for rolling >>> over these keys? How should manufacturers of software or hardware with a >>> long shelf-life use them to bootstrap DNSSEC? >> >> When you say "ICANN x.509 self-signed certificate", do you mean the >> certificate used for the https URLs in this draft? If so, it is not >> self-signed at all, and in fact is not maintained by ICANN. I think that >> negates your concern. > >I hesitate to speak for Tony, but I presumed he was talking about the CA that >was used to sign the CSR, the result being the single CRT that's hosted at ><https://data.iana.org/root-anchors/> today.
Ah, got it. That problem that we have ignored in the PKIX WG for over a decade. >We are happy to host other CRTs which result from the processing of the same >CSR by other Certification Authorities (we've offered to do so multiple times, >publicly and privately). No doubt a Certification Authority would have >requirements relating to the authenticity of anything they signed, and we're >very happy to talk to them about that. And that solution which folks are forced into. :-) In all seriousness, if a software vendor / distro wants to have a way to do bootstrapping of the ICANN root over the long term, they should stand up their own CA for this purpose and distribute their own CSR as part of the software. It is nice that ICANN wants to do the distribution for you, but it makes more sense for the software vendor / distro to be the sole trusted third party. --Paul Hoffman, Director --VPN Consortium _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
