Wessels, Duane <dwess...@verisign.com> wrote: > > I don't think its possible to have a solution that works for devices on > the shelf for an arbitrarily long time. You posed the problem as 10 > years, which I think is an unrealistically long time. > > You could probably have a useful discussion about what is an appropriate > amount of time for something to be on the shelf and still expect it to > work. If there is some consensus on that then the operators of the key > material can design around it.
Good points. I think 10 years is definitely ambitious, but we do have multiple existing points of comparison: (1) Lifetime of X.509 trust anchors e.g. www.iana.org (where the DNSSEC root trust anchor is distributed) has a cert that chains up to the DigiCert High Assurance EV Root CA which is 10 years old and expires 15 years in the future. (2) Root DNS server IP addresses 8 of the 13 servers have the same IPv4 address as they had in 1999, which is plenty for establishing a quorum of witnesses. Tony. -- f.anthony.n.finch <d...@dotat.at> http://dotat.at/ - I xn--zr8h punycode Shannon: West 6 to gale 8, perhaps severe gale 9 later. Rough or very rough, becoming mainly high. Thundery showers. Good, occasionally poor. _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop