[ksk-rollover] Retention of the 2010 KSK
Matthew Pounsett
matt at conundrum.com
Tue Apr 2 23:11:37 UTC 2019
On Tue, 2 Apr 2019 at 18:38, Geoff Huston <gih at apnic.net> wrote:
>
> >
> I’m uncomfortable with a “keep it indefinitely” position. I would prefer
> to see the community reach some rough consensus on a key chain structure
> of new signing old that would allow a relying party that was configured
> with trust in some previous kSK to use a to-be-determined chain following
> tool that would allow it to trust the current KSK, or we conclude that this
> is a dud concept. At that point we should be destroying revoked KSKs. So
> perhaps we should give ourselves 24 months to either come up with something
> or conclude that its just not possible. At that point we can destroy
> KSK-2010.
>
Some sort of time limit seems prudent.
There's also the argument that any recovery-chain procedure that we invent
is likely only going to be useful for resolvers that start with the
then-current trust anchor. We don't want to completely rule out the
possibility that we develop something more widely useful, so I wouldn't
suggest deleting it right away, but I agree that would shouldn't keep it
around forever, just in case.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mm.icann.org/pipermail/ksk-rollover/attachments/20190402/963fd010/attachment.html>
More information about the ksk-rollover
mailing list