This archive is retained to ensure existing URLs remain functional. It will not contain any emails sent to this mailing list after July 1, 2024. For all messages, including those sent before and after this date, please visit the new location of the archive at https://mailman.ripe.net/archives/list/[email protected]/

[dns-wg] KSK lifetimes

Previous message (by thread): [dns-wg] KSK lifetimes
Next message (by thread): [dns-wg] Re: KSK lifetimes

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Paul Wouters paul at xelerance.com
Fri Feb 5 17:55:04 CET 2010

On Fri, 5 Feb 2010, Edward Lewis wrote:

> The outcome of the thread was that, if left up to the cryptographic issues, 
> there would be no need to change keys until a key was detected as being 
> broken.  This is because the effective lifetime of a key is not determined by 
> the key itself but rather by the determination of the attackers.  The moral - 
> you only need to change the key in an emergency.

I don't think that was the outcome at all. As I read it, the outcome was
"cryptographers are even more conservative then DNS operators, because key
strength is a function of math & money, but the IETF suggested lifetimes
were very safe".

> The realization that it isn't the cryptography limiting the usefulness of the 
> key to me is "new thinking."  All along I thought that the limitation on the 
> effectivity of a key was the cryptography - but for "good enough keys" the 
> limitation is how comfortable I am going without changing it and how much 
> does it cost to change it.

To that I agree.

Paul

Previous message (by thread): [dns-wg] KSK lifetimes
Next message (by thread): [dns-wg] Re: KSK lifetimes

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

[ dns-wg Archives ]