On 4 okt 2010, at 17.18, Tony Finch wrote:
> This argument also implies that RFC 5011 cannot be used to roll over root
> trust anchors in the event of a compromise.
Depending on the type of compromise, a RFC 5011 may not be appropriate.
> It isn't immediately clear to me from the root KSK DPS whether you expect
> RFC 5011 to work in the event of a compromise. It says:
>
> As part of the KSK emergency roll-over procedures, ICANN maintains
> the capability of being able to generate and publish an interim Trust
> Anchor within 48 hours. In favorable circumstances, this interim
> Trust Anchor may be used to facilitate an orderly RFC 5011 [RFC5011]
> automatic KSK roll-over to a new and sanctioned Trust Anchor
> generated at a new scheduled key ceremony held with reasonable time
> notice.
>
> Does that mean you'll use 5011 to roll from the interim TA to the
> sanctioned TA, but that validator operators will have to manually install
> the interim TA?
Correct.
jakob
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop
