fredrik danerklint <fredan-na...@fredan.se> wrote: > > and how about a end user, who doesn't understand a computer at all, to > be able verify the signatures, correctly?
The current trust model for DNSSEC relies on the vendor of the validator to bootstrap trust in the root key. This is partly a matter of pragmatism since the validator is a black-box agent acting on the user's behalf, like any other software. It is also required by the root key management policies, since a root key rollover takes a small number of weeks, much shorter than the not-in-service shelf life of validating software and hardware. This means that a validator cannot simply use the root key as a trust anchor and expect to work: it needs some extra infrastructure supported by the vendor to authenticate the root key if there happens to have been a rollover between finalizing the software and deploying it. Tony. -- f.anthony.n.finch <d...@dotat.at> http://dotat.at/ Biscay, FitzRoy: Southwesterly 4 or 5, veering northerly or northwesterly 5 or 6, occasionally 7 later in southeast Fitzroy. Rough or very rough. Rain or showers. Good, occasionally poor.
