Clearly this will require 3 years of subcommittee conferences in order to prove.
.j On Sun, Dec 26, 2010 at 11:23, Florian Weimer <f...@deneb.enyo.de> wrote: > * Jay Ashworth: > >> ----- Original Message ----- >>> From: "Matt Larson" <mlar...@verisign.com> >> >>> The new KSK will not be published in an authenticated manner outside >>> DNS (e.g., on an SSL-protected web page). Rather, the intended >>> mechanism for trusting the new KSK is via the signed root zone: DS >>> records corresponding to the new KSK are already present in the root >>> zone. >> >> That sounds like a policy decision... and I'm not sure I think it sounds >> like a *good* policy decision, but since no reasons were provided, it's >> difficult to tell. > > I don't know if it influenced the policy decision, but as it is > currently specified, the protocol ensures that configuring an > additional trust anchor never decreases availability when you've also > got the root trust anchor configured, it can only increase it. This > means that there is little reason to configure such a trust anchor, > especially in the present scenario. > >
