Steve Crocker <st...@shinkuro.com> wrote:
> I recall a discussion several years about having a site that
> would have
> all of the keys accumulated over time.  A query to it would return the
> current key.  It's roughly analogous to using a root hints file
> to find a
> current root server and from that the full set of current servers.

You wouldn't want to depend on a single server, because that just moves
the point of trust to a different key, and fails to eliminate the single
point of failure.

Chaining forward through the history of keys and signatures is pretty
good, but I don't know how a client could prove freshness or (god
forbid) protect itself against compromise of an old key.

The quorum-of-witnesses idea could handle all these problems.

Tony.
--
f.anthony.n.finch  <d...@dotat.at>  http://dotat.at/  -  I xn--
  zr8h punycode

_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop

Reply via email to