I recall a discussion several years about having a site that would have all of the keys accumulated over time. A query to it would return the current key. It's roughly analogous to using a root hints file to find a current root server and from that the full set of current servers.
This wouldn't be hard to do, but it also wasn't considered terribly urgent. Steve Sent from my iPhone > On Nov 16, 2016, at 11:26 AM, william manning <chinese.apri...@gmail.com> > wrote: > > Johan Ihren and I and Olaf had a competing ID that delt with shelf life and > embedded devices w/o an easy way to update key info. RFC 5011 won out since > shelf life and embedded devices were considered edge cases. > > /Wm > >> On Wednesday, 16 November 2016, Tony Finch <d...@dotat.at> wrote: >> Wessels, Duane <dwess...@verisign.com> wrote: >> > >> > I don't think its possible to have a solution that works for devices on >> > the shelf for an arbitrarily long time. You posed the problem as 10 >> > years, which I think is an unrealistically long time. >> > >> > You could probably have a useful discussion about what is an appropriate >> > amount of time for something to be on the shelf and still expect it to >> > work. If there is some consensus on that then the operators of the key >> > material can design around it. >> >> Good points. >> >> I think 10 years is definitely ambitious, but we do have multiple existing >> points of comparison: >> >> (1) Lifetime of X.509 trust anchors >> >> e.g. www.iana.org (where the DNSSEC root trust anchor is distributed) >> has a cert that chains up to the DigiCert High Assurance EV Root CA which >> is 10 years old and expires 15 years in the future. >> >> (2) Root DNS server IP addresses >> >> 8 of the 13 servers have the same IPv4 address as they had in 1999, which >> is plenty for establishing a quorum of witnesses. >> >> Tony. >> -- >> f.anthony.n.finch <d...@dotat.at> http://dotat.at/ - I xn--zr8h punycode >> Shannon: West 6 to gale 8, perhaps severe gale 9 later. Rough or very rough, >> becoming mainly high. Thundery showers. Good, occasionally poor. >> >> _______________________________________________ >> DNSOP mailing list >> DNSOP@ietf.org >> https://www.ietf.org/mailman/listinfo/dnsop > _______________________________________________ > DNSOP mailing list > DNSOP@ietf.org > https://www.ietf.org/mailman/listinfo/dnsop
_______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
