[ksk-rollover] Suggested update to the key ceremonies.
Geoff Huston
gih at apnic.net
Wed Feb 21 19:28:58 UTC 2018
>
> So my base point is - don't try to fix the wrong problem. Key tags are what they are and will remain as such. With 16 bits, collisions are inevitable at some point and may actually occur *after* the keys are generated (- revoked keys). Fix 8145 and KSK sentinel instead.
>
> (And by the way - does any of the 8145 or KSK sentinel implementations correctly match a revoked key with its unrevoked brother?)
>
I don't understand this question Mike - particularly “unrevoked brother” - could you describe in a little more detail what you are referring to here?
thanks,
Geoff
More information about the ksk-rollover
mailing list