On 22-Apr-2009, at 15:17, Paul Hoffman wrote:
Yes. For example, Ubuntu server "long term stable" releases are only put out every few years. If you pick one of them, you start off with an old image, then *hopefully* update as soon as you install. But, if you just turn on some services, this will be a problem that is quite different than the typical "but you might be running unsafe binaries".
Perhaps software vendors ought to arrange their own distribution of trust anchors using trust tokens whose lifetimes suit the software. It seems likely that one size will not fit all.
For example, Ubuntu might require a package to be retrieved and installed after installation containing current trust anchors before it is possible to turn on validation. That package would presumably be authenticated using a key shipped with the OS whose lifetime is predictable in the context of the OS (e.g. a PGP key whose public portion is shipped on the install media, and hence which might be at least as trustworthy as the the rest of the OS installed from the same bit of plastic).
I don't like the idea of incorporating magic numbers (e.g. "nine months") algorithmically when trying to determine suitability of an old trust anchor. That seems likely to result in unnecessarily collateral damage in the event of an emergency KSK rollover.
I don't ship software, so I don't know how practical this general advice is. But it seems like a bad idea to package trust anchors administered by others with any piece of software, if there's a chance that those trust anchors are going to form a circular dependency in the process of updating them.
Joe _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
