[ksk-change] Not rolling over, part 2: adding another signing algorithm

Paul Hoffman paul.hoffman at vpnc.org
Sun Sep 21 19:23:36 UTC 2014

Greetings. Joe and David have said that the intended meeting can cover issues other than a key rollover, and the earlier thread points to something that ICANN might want to do before, after, or instead of a key rollover exercise: add a different key with a different signature algorithm, presumably an elliptic curve algorithm with 256-bit keys.

This could be done with the intention of having the two signatures in parallel for a long time, or it could be done with the intention that the shorter, stronger, more reliable key replaces the current key.

--Paul Hoffman

More information about the ksk-rollover mailing list