[ksk-rollover] Future rollover planning opportunities
Michael Richardson
mcr+ietf at sandelman.ca
Wed Feb 20 21:08:06 UTC 2019
mcr> I think that there is very little incremental cost to including a
mcr> multitude of keys in a software release. i.e. rather than 1 or 3
mcr> for the next 3-4 years, I'd like to around a dozen. With a variety
mcr> of algorithms, keysizes, and with the private keys escrowed in a
mcr> variety of ways.
Paul Wouters <paul at nohats.ca> wrote:
> That makes monitoring and transparency recoding of private key usage
> much harder. It also raises the possibly abuse of any DNSSEC key to the
> weakest key escrow method, and will surely raise lots of red flags with
> people who already don't trust this system.
yeah, so the idea is not that it be a free-for-all, but that we might have
many more keys maintained by perhaps just one additional entity.
--
Michael Richardson <mcr+IETF at sandelman.ca>, Sandelman Software Works
-= IPv6 IoT consulting =-
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 487 bytes
Desc: not available
URL: <http://mm.icann.org/pipermail/ksk-rollover/attachments/20190220/300fe684/signature.asc>
More information about the ksk-rollover
mailing list