[ksk-rollover] Future rollover planning opportunities

Michael Richardson mcr+ietf at sandelman.ca
Wed Feb 20 21:08:06 UTC 2019

    mcr> I think that there is very little incremental cost to including a
    mcr> multitude of keys in a software release.  i.e. rather than 1 or 3
    mcr> for the next 3-4 years,  I'd like to around a dozen.  With a variety
    mcr> of algorithms, keysizes, and with the private keys escrowed in a
    mcr> variety of ways.

Paul Wouters <paul at nohats.ca> wrote:
    > That makes monitoring and transparency recoding of private key usage
    > much harder.  It also raises the possibly abuse of any DNSSEC key to the
    > weakest key escrow method, and will surely raise lots of red flags with
    > people who already don't trust this system.

yeah, so the idea is not that it be a free-for-all, but that we might have
many more keys maintained by perhaps just one additional entity.

Michael Richardson <mcr+IETF at sandelman.ca>, Sandelman Software Works
 -= IPv6 IoT consulting =-

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 487 bytes
Desc: not available
URL: <http://mm.icann.org/pipermail/ksk-rollover/attachments/20190220/300fe684/signature.asc>

More information about the ksk-rollover mailing list