On Sun, Oct 3, 2010 at 10:54 AM, Joe Abley <jab...@hopcount.ca> wrote:
>
> On 2010-10-03, at 13:31, Eric Rescorla wrote:
>
> > I'm asking because I'm pretty familiar with cryptography and I know that
> keys don't suddenly become
> > worthless just because they get past their intended use lifetime. The
> semantics of signature
> > security of old keys is a lot more complicated than that.
>
> The context here is the publication of DNSSEC trust anchors for the root
> zone.
>
> At least some of the cases we're talking about involve signatures
> necessarily made by keys after an emergency key roll which has taken place
> because the old key has been compromised. Such signatures are worthless.
I don't think this follows.
It's pretty commonly suggested that at the time you roll out key K_n you
also *immediately* generate
key K_{n+1} and produce a certificate signing K_{n+1} with K_n. Since all
that is required for security
is that the signature itself take place prior to the compromise of K_n this
allows for rollover even
if K_n is subsequently compromised, provided that the relying party can
verify that the signature
on K_{n+1} was computed before the compromise date. There are a variety of
techniques for
doing this, e.g., hash commitment, Haber-Stornetta timestamping, etc.
-Ekr
>
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop
