On 2 Nov 2017, at 11:04, Bob Harold <rharo...@umich.edu> wrote: > I generally agree with you, but wonder if there is a performance penalty to > searching every possible path before failing. Is that a reasonable concern?
I think there's a much bigger performance penalty from returning an error to an application and requiring an end-user to do something; the small delay introduced by validating a signature chain against a different trust anchor is likely smaller than that in the event that validation subsequently succeeds and irrelevant in the case that it fails. I think that the performance angle, whilst always worth considering e.g. for impact on scaling properties, is a red herring in this particular case. I think the focus on what policy makes sense and where it should be applied is the right one. Joe _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
