On 2010-10-03, at 07:59, Tony Finch wrote: > On 3 Oct 2010, at 08:27, Jakob Schlyter <ja...@kirei.se> wrote: >> On 1 okt 2010, at 20.59, Tony Finch wrote: >>> >>> Right, so it's aimed at human consumption rather than automatic tools? >> >> Given the historical information (together with old DNSKEY), you could build >> a trust anchor history zone. > > Not really, since you need the private key of the old TA to sign the public > key of the new one to get a cryptographic proof of the history. Without that > it is just a third party attestation, which is rather weaker.
As has been expressed many times, old keys are not trustworthy and hence their signatures have no value. Joe _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
