This archive is retained to ensure existing URLs remain functional. It will not contain any emails sent to this mailing list after July 1, 2024. For all messages, including those sent before and after this date, please visit the new location of the archive at https://mailman.ripe.net/archives/list/dns-wg@ripe.net/
[dns-wg] KSK lifetimes
- Previous message (by thread): [dns-wg] KSK lifetimes
- Next message (by thread): [dns-wg] KSK lifetimes
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Jim Reid
jim at rfc1035.com
Fri Feb 5 17:05:29 CET 2010
On 5 Feb 2010, at 15:39, Ralf Weber wrote: > Well the original reason was Anands mail that Fedora delivered an > old ripe key. This would not be the case with a key life time of > say two years. It would always be a problem if Fedora shipped something with the old keys, no matter what their lifetime was. Stale keys are still stale keys. This sort of problem is always a nuisance on for an OS that depends on informal, volunteer efforts. If the guys working on some tool/project drag their feet or give up, stale code and obsolete configuration data can end up in the distros and repositories. In any case, these alternate trust anchors should hopefully be dead and buried soon. Assuming we have a signed root this summer.... So, given that we should have a signed root Real Soon Now (=> alternate trust anchor schemes fade into oblivion), what impact does that have on the NCC's KSK rollover policy? Will the current schedule be too aggressive or unreasonable when this happens? [And .arpa gets signed of course...] Why? I'd welcome some discussion about this.
- Previous message (by thread): [dns-wg] KSK lifetimes
- Next message (by thread): [dns-wg] KSK lifetimes
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
[ dns-wg Archives ]