On 2010-10-03, at 13:31, Eric Rescorla wrote: > I'm asking because I'm pretty familiar with cryptography and I know that keys > don't suddenly become > worthless just because they get past their intended use lifetime. The > semantics of signature > security of old keys is a lot more complicated than that.
The context here is the publication of DNSSEC trust anchors for the root zone. At least some of the cases we're talking about involve signatures necessarily made by keys after an emergency key roll which has taken place because the old key has been compromised. Such signatures are worthless. In the general case we must assume that there will exist a point in the future at which at least one prior key roll has been due to a key compromise, and hence we can expect that an unbroken chain of trust that involves outgoing keys signing incoming keys will not always be available. If we consider the more usual case to be one where a key was rolled for reasons other than a compromise, then a signature made by the outgoing key is useful so long as the security of the outgoing key is maintained. Since the procedures followed to effect a scheduled key roll would involve the destruction of the outgoing private key, we would hope that this was not an issue. As a matter of operational pragmatism, however, I have argued that a system that relies upon the absolute, secure destruction of all prior keys is more fragile than one that does not. > If there's some particular discussion that you'd like me to review that makes > the case that > this is different, please point me at it. The conversations were all on this list, relating to the trust-history proposal. The paragraphs above are my attempt at a summary of the concerns I raised at the time. Joe _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
