[ksk-rollover] Suggested update to the key ceremonies.
Benno Overeinder
benno at NLnetLabs.nl
Thu Feb 15 12:28:05 UTC 2018
On 15/02/2018 01:36, Geoff Huston wrote:
>
>
>> On 15 Feb 2018, at 8:35 am, Paul Hoffman <paul.hoffman at icann.org> wrote:
>>
>> On Feb 14, 2018, at 12:40 PM, Warren Kumari <warren at kumari.net> wrote:
>>> I think that it would be a useful addition to the script to ensure
>>> that, when a new KSK is generated, it does not have the same Key ID as
>>> any previous KSKs. If is *does* have the same Key ID, it should be
>>> discarded and a new one generated.
>>
>> As someone who has to write tools to deal with ICANN's trust anchors, I give this proposal two thumbs up.
>
> Warren has done well to point this out, and yes, its a small but important aspect of the key generation process
I raised the issue of keyid collission also once at the mic, and from
what I remember someone (from ICANN?) mentioned that at any time a (new)
unique keyid will be generated.
But I fully agree it is important to explicitly mention this in the key
generation procedure (ceremony/protocol).
Cheers,
-- Benno
--
Benno J. Overeinder
NLnet Labs
https://www.nlnetlabs.nl/
More information about the ksk-rollover
mailing list