Johan Ihren and I and Olaf had a competing ID that delt with shelf life and embedded devices w/o an easy way to update key info. RFC 5011 won out since shelf life and embedded devices were considered edge cases.
/Wm On Wednesday, 16 November 2016, Tony Finch <d...@dotat.at> wrote: > Wessels, Duane <dwess...@verisign.com <javascript:;>> wrote: > > > > I don't think its possible to have a solution that works for devices on > > the shelf for an arbitrarily long time. You posed the problem as 10 > > years, which I think is an unrealistically long time. > > > > You could probably have a useful discussion about what is an appropriate > > amount of time for something to be on the shelf and still expect it to > > work. If there is some consensus on that then the operators of the key > > material can design around it. > > Good points. > > I think 10 years is definitely ambitious, but we do have multiple existing > points of comparison: > > (1) Lifetime of X.509 trust anchors > > e.g. www.iana.org (where the DNSSEC root trust anchor is distributed) > has a cert that chains up to the DigiCert High Assurance EV Root CA which > is 10 years old and expires 15 years in the future. > > (2) Root DNS server IP addresses > > 8 of the 13 servers have the same IPv4 address as they had in 1999, which > is plenty for establishing a quorum of witnesses. > > Tony. > -- > f.anthony.n.finch <d...@dotat.at <javascript:;>> http://dotat.at/ - I > xn--zr8h punycode > Shannon: West 6 to gale 8, perhaps severe gale 9 later. Rough or very > rough, > becoming mainly high. Thundery showers. Good, occasionally poor. > > _______________________________________________ > DNSOP mailing list > DNSOP@ietf.org <javascript:;> > https://www.ietf.org/mailman/listinfo/dnsop >
_______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
