On 30 Sep 2010, at 21:12, Paul Hoffman <paul.hoff...@vpnc.org> wrote: > > In all seriousness, if a software vendor / distro wants to have a way to do > bootstrapping of the ICANN root over the long term, they should stand up > their own CA for this purpose and distribute their own CSR as part of the > software. It is nice that ICANN wants to do the distribution for you, but it > makes more sense for the software vendor / distro to be the sole trusted > third party.
Yes, that is what vendors will have to do given the tools we have provided them so far. The problem is that this commits them to providing an online service that will last for the lifetime of their software or equipment. For consumer gear this will be long enough to cover at least one rollover. If they don't or can't maintain the service, a rollover will brick any equipment that is off at the time, or which is restored to factory settings after a rollover, etc. I think we should be able to make it more robust. Tony. -- f.anthony.n.finch <d...@dotat.at> http://dotat.at/ _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
