[ksk-rollover] Suggested update to the key ceremonies.
Wessels, Duane
dwessels at verisign.com
Wed Feb 21 19:40:32 UTC 2018
> On Feb 21, 2018, at 2:28 PM, Geoff Huston <gih at apnic.net> wrote:
>
>>
>> So my base point is - don't try to fix the wrong problem. Key tags are what they are and will remain as such. With 16 bits, collisions are inevitable at some point and may actually occur *after* the keys are generated (- revoked keys). Fix 8145 and KSK sentinel instead.
>>
>> (And by the way - does any of the 8145 or KSK sentinel implementations correctly match a revoked key with its unrevoked brother?)
>>
>
> I don't understand this question Mike - particularly “unrevoked brother” - could you describe in a little more detail what you are referring to here?
Setting the revoke bit on a key changes its keytag. Mike seems to be suggesting that maybe a query/signal for an unrevoked key should also match the revoked key.
I'd say it should not in these cases. Revoked keys should not be part of the trust anchor set and should not be matched.
DW
More information about the ksk-rollover
mailing list