On Oct 24 2008, D. Stussy wrote, re the dlv.isc.org KSK, >If isc.org is going to change it annually or so, fine, but then let them >publish about 4 key-signing-keys, even if only one is actively used. That >would be 4 years worth of keys, which should be enough to cover 4+ years - >long enough for ICANN to get off their asses and sign the root zone.
This doesn't make much (I am inclined to say "any") sense. Publishing the keys subjects them to attack, whether they are used for signing or not. The whole point of changing the keys regularly is to limit the time they are exposed to such attack. Also, 4 years is a long time in cryptographic techniques. Who is to say, for example, whether a 2048-bit KSK will still be adequate after that long? -- Chris Thompson Email: [EMAIL PROTECTED]
