Ted Lemon <mel...@fugue.com> wrote: > Why would you put a device on the shelf for ten years?
The failure occurs if a device is on the shelf for the wrong 6 months (second half of 2017) and this is a completely reasonable length of time to hold stock. > This is certainly a known issue that has been talked about at > length--the conclusion when it was discussed is that there is nothing we > can do about it, and it's relatively unlikely, and manually fixable. It isn't manually fixable by most people. It *can* be handled automatically. Your vendor needs to provide one or more statically-configured bootstrap server IP addresses and non-DNSSEC bootstrap trust anchor(s). The device can then get the time and trust anchors (e.g. using something like tlsdate) from the bootstrap server and do whatever other software updates it needs to when it is unboxed. In principle it's possible to do a vendor-neutral version, provided there are some organizations willing to provide some long-term infrastructure. Each "witness" organization provides a bootstrap time server and key server, and its own self-signed bootstrap certificate. None of the witnesses are individually trusted, though! Each witness can only state its view of the world, which must be distrusted until it is sufficiently corroborated. A device boostraps trust by observing that a quorum of witnesses agree. There must be several independent witnesses to provide resilience against compromise or withdrawal or service. The bootstrap certs musn't become permanent. Each witness generates a new key and certificate annually, and distributes the cert out-of-band for use in new software and configurations. Witnesses can update their bootstrap server IP address the same way. The old certs and IP addresses continue to work for as long as possible. Tony. -- f.anthony.n.finch <d...@dotat.at> http://dotat.at/ - I xn--zr8h punycode Shannon: West or southwest 5 to 7, occasionally gale 8 later. Rough or very rough, becoming high. Occasional rain. Good, occasionally moderate. _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop