[ksk-rollover] Retention of the 2010 KSK

Matthew Pounsett matt at conundrum.com
Tue Apr 2 23:11:37 UTC 2019


On Tue, 2 Apr 2019 at 18:38, Geoff Huston <gih at apnic.net> wrote:

>
> >
> I’m uncomfortable with a “keep it indefinitely” position. I would prefer
> to see the community reach some rough consensus on a key chain structure
> of new signing old that would allow a relying party that was configured
> with trust in some previous kSK to use a to-be-determined chain following
> tool that would allow it to trust the current KSK, or we conclude that this
> is a dud concept. At that point we should be destroying revoked KSKs. So
> perhaps we should give ourselves 24 months to either come up with something
> or conclude that its just not possible. At that point we can destroy
> KSK-2010.
>

Some sort of time limit seems prudent.

There's also the argument that any recovery-chain procedure that we invent
is likely only going to be useful for resolvers that start with the
then-current trust anchor.  We don't want to completely rule out the
possibility that we develop something more widely useful, so I wouldn't
suggest deleting it right away, but I agree that would shouldn't keep it
around forever, just in case.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mm.icann.org/pipermail/ksk-rollover/attachments/20190402/963fd010/attachment.html>


More information about the ksk-rollover mailing list