On 30 Nov 2016, at 8:00, Mikael Abrahamsson wrote:
On Wed, 30 Nov 2016, Matt Larson wrote:
Did you see my message earlier in the thread? Is there a reason you
don't include a third option: retrieving the trust anchor file
published by IANA/PTI
(https://data.iana.org/root-anchors/root-anchors.xml) and validating
with the detached S/MIME signature published in the same place
(https://data.iana.org/root-anchors/root-anchors.p7s)? That
signature chains to the ICANN CA cert, which currently expires in
2029. Sure, it's more code, but it can all be done with OpenSSL, for
example.
This sunds like a workable solution.
It would be great if ICANN could write a document outlining how to do
this and perhaps even provide FOSS example code.
Such a document is in process. A FOSS tool can be found at
https://github.com/kirei/dnssec-ta-tools/tree/master/get_trust_anchor
(issues and pull requests invited!), but it might move in the future to
an ICANN or PTI location. A few months ago, Jakob and I did a
presentation about it at OARC.
--Paul Hoffman
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop
