Steve Crocker <st...@shinkuro.com> wrote: > I recall a discussion several years about having a site that > would have > all of the keys accumulated over time. A query to it would return the > current key. It's roughly analogous to using a root hints file > to find a > current root server and from that the full set of current servers.
You wouldn't want to depend on a single server, because that just moves the point of trust to a different key, and fails to eliminate the single point of failure. Chaining forward through the history of keys and signatures is pretty good, but I don't know how a client could prove freshness or (god forbid) protect itself against compromise of an old key. The quorum-of-witnesses idea could handle all these problems. Tony. -- f.anthony.n.finch <d...@dotat.at> http://dotat.at/ - I xn-- zr8h punycode
_______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop