On Fri, Jan 22, 2010 at 12:35 PM, Paul Hoffman <paul.hoff...@vpnc.org> wrote: > At 8:18 PM +0000 1/22/10, bmann...@vacation.karoshi.com wrote: >>On Fri, Jan 22, 2010 at 09:13:22AM -0800, Paul Hoffman wrote: >>> At 4:56 PM +0000 1/22/10, Tony Finch wrote: >>> >On Thu, 21 Jan 2010, Paul Hoffman wrote: >>> >> >>> >> - Regular rolling can give you a false sense of security about your >>> >> rolling process >>> > >>> >How can you have any sense of security about your rolling process if you >>> >don't exercise it? >>> >>> Why do people think the opposite of "regular" is "never"? >>> >>> --Paul Hoffman, Director >> >> >> to borrow from Andrew - let me posit an analogy... >> >> would you rather have your LASIX or LIOP surgery done >> by someone who has done 12,000 such procedures and >> does a couple a week or someone who has done a dozen >> and does them about every couple years or so? >> >> sure, the doctor who does them all the time -might- get >> sloppy and cut corners -- but is that worse than someone >> who has only passing understanding of what they are actually >> doing? >> >> the risk isn't -never-, the risk is lack of experience. > > Why do people think this is about "the risk" instead of "the risks"?
I haven't formed a useful opinion one way or the other about the operational value of frequent key rollovers. However, it seems to me that the value of those practices is more or less independent of key size, so we've travelled fairly far afield from the original claim that we need rollovers to compensate for being forced to use overly-short RSA keys. -Ekr _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
