All of those issues relate to separate topics beyond the current scope
of this effort. I was only thinking of authentication for the
protocol. "Kept around" means there could be signatures out there
still valid (sig validity period in the RRSIG) and in cache when the
private portion is no
Scott
- Original Message -
From: "Scott Rose" <[EMAIL PROTECTED]>
To:
Sent: Tuesday, September 30, 2008 4:07 AM
Subject: Re: [DNSOP] Proposed changes to RFC 4641: rollovers
On Sep 29, 2008, at 7:46 AM, [EMAIL PROTECTED] wrote:
any KSK can be used as a TA. there i
At 11:46 AM + 9/29/08, [EMAIL PROTECTED] wrote:
your selection of 12-13 months and 25 years are suspect. Can you provide
the underlaying bias for these tiemframes?
The 12 month timeframe was adopted from the current 4641. I assume
that this WG decided that, if you want to do rollovers to
On Sep 29, 2008, at 7:46 AM, [EMAIL PROTECTED] wrote:
any KSK can be used as a TA. there is no way to know -
unambigiously -
that any given KSK is not being used as a TA in some validator.
however, your assertion that at KSK should -never- be rolled unless
compromise is known or strongly susp
any KSK can be used as a TA. there is no way to know - unambigiously -
that any given KSK is not being used as a TA in some validator.
however, your assertion that at KSK should -never- be rolled unless
compromise is known or strongly suspected is -BAD- from an operational
and liklely from a
At 6:23 AM -0700 9/29/08, Wes Hardaker wrote:
> On Sun, 28 Sep 2008 21:14:34 -0700, Paul Hoffman
<[EMAIL PROTECTED]> said:
Overall I think the changes seem reasonable. However, I don't think
everything is taken into account... I understand the desire for
removing the specified timing ass
At 12:08 PM +0200 9/29/08, Matthijs Mekking wrote:
I encourage making the 4641 document more up to date and adding better
definitions. However, one issue draw my attention: I am not sure if
doing key rollover in emergencies only is good practice, for a couple of
reasons:
* All keys have an expec
- Original Message -
From: "Matthijs Mekking" <[EMAIL PROTECTED]>
To: "Paul Hoffman" <[EMAIL PROTECTED]>
Cc:
Sent: Monday, September 29, 2008 3:08 AM
Subject: Re: [DNSOP] Proposed changes to RFC 4641: rollovers
-BEGIN PGP SIGNED MESSAGE-
H
> On Sun, 28 Sep 2008 21:14:34 -0700, Paul Hoffman <[EMAIL PROTECTED]> said:
Overall I think the changes seem reasonable. However, I don't think
everything is taken into account... I understand the desire for
removing the specified timing associated with key-age based on modern
analysis. Bu
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Hi Paul,
I encourage making the 4641 document more up to date and adding better
definitions. However, one issue draw my attention: I am not sure if
doing key rollover in emergencies only is good practice, for a couple of
reasons:
* All keys have an e
In the last paragraph of 3.1.1, remove the last sentence ("Although,
given a long enough key..."). Replace it with the following
paragraphs:
There are two schools of thought on rolling a KSK that is not a
trust anchor:
- It should be done regularly (possibly every few months) so that
11 matches
Mail list logo
