On 30 Sep 2010, at 20:23, Paul Hoffman <paul.hoff...@vpnc.org> wrote: > > When you say "ICANN x.509 self-signed certificate", do you mean the > certificate used for the https URLs in this draft?
No: see http://data.iana.org/root-anchors/icannbundle.pem and http://data.iana.org/root-anchors/Kjqmt7v.crt > There is *always* a leap of faith, even if it is just "the key that was > installed initially". An external third party that is trusted before and > after a key rollover is sufficient. I am assuming that the key that was installed initially was validated manually, so that is not a leap of faith. The problem is that a missed rollover causes a break in the chain of trust. We want to retain as much trust as possible without requiring a manual validation every time old software is installed or whenever you do a factory reset on hardware with an embedded validator. You can't invoke a magic trusted third party because they also have to roll their keys. You have moved the problem without solving it. Tony. -- f.anthony.n.finch <d...@dotat.at> http://dotat.at/ _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
