[ksk-rollover] Retention of the 2010 KSK

Hugo Salgado-Hernández hsalgado at nic.cl
Fri Mar 29 14:32:07 UTC 2019

On 08:10 29/03, Geoff Huston wrote:
> I have no idea Paul - but I do know that once the key is destroyed the entire conversation is kinda pointless, and I thought it was a little bit preemptory to slam the door shut on such musings..

Actually, I can see an use for the KSK-2010 yet. We can measure the
"sunsetting" of this key from the resolvers by having a special
record in somewhere signed only by KSK-2010, and by testing its
validation status from a resolver we could know if it's revoked or
if its still configured as a trust anchor.

Having the certainty of speed of sunset is useful in the case of
compromise of a key, where you'd want to invalidate it quickly.

Hugo Salgado

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://mm.icann.org/pipermail/ksk-rollover/attachments/20190329/a5991c4e/signature.asc>

More information about the ksk-rollover mailing list