For security considerations, only the signature expiration time is significant.
The problem is that an attacker with control of the key could in
theory set the expiration time to 2099 or something stupid. But that
is already a known security consideration (or was). If the attacker
has only one RRS
In message , James Cloos writes:
> It looks like a let offline distractions get the better of me with my
> previous post on this topic.
>
> What I wanted to write is that, given that dns servers cope well with
> very short RR TTLs, they also should cope well with short-duration RRSIGs.
Actually
It looks like a let offline distractions get the better of me with my
previous post on this topic.
What I wanted to write is that, given that dns servers cope well with
very short RR TTLs, they also should cope well with short-duration RRSIGs.
-JimC
--
James Cloos OpenPGP: 1024D/ED7DAEA
On Mar 4, 2013, at 11:45 PM, Martin Rex wrote:
> Mark Andrews wrote:
>>
>>>
>>> TTL is *NOT* signed.
>>>
>>> While there is an original TTL field that is signed:
>>> http://tools.ietf.org/html/rfc4034#section-3.1.4
>>>
>>> this will not prevent any intermediary (attacker) to produce
>>> n
Mark Andrews wrote:
>
> >
> > TTL is *NOT* signed.
> >
> > While there is an original TTL field that is signed:
> >http://tools.ietf.org/html/rfc4034#section-3.1.4
> >
> > this will not prevent any intermediary (attacker) to produce
> > new DNS responses with TTLs less than or equal ot the
In message <20130305040318.aa59a1a...@ld9781.wdf.sap.corp>, Martin Rex writes:
> Mark Andrews wrote:
> >
> > Martin Rex writes:
> > > Christian Becker wrote:
> > > > Comparing PKIX and DANE I regularly get asked about the certificate
> > > > revocation in DANE.
> > >
> > > There is no revocation
Mark Andrews wrote:
>
> Martin Rex writes:
> > Christian Becker wrote:
> > > Comparing PKIX and DANE I regularly get asked about the certificate
> > > revocation in DANE.
> >
> > There is no revocation in DANE.
> >
> > There is only expiration through RRSIG Signature Expiriation
> > and invalida
In message <20130305000514.19dc81a...@ld9781.wdf.sap.corp>, Martin Rex writes:
> Christian Becker wrote:
> > Comparing PKIX and DANE I regularly get asked about the certificate
> > revocation in DANE.
>
> There is no revocation in DANE.
>
> There is only expiration through RRSIG Signature Expiri
Christian Becker wrote:
> Comparing PKIX and DANE I regularly get asked about the certificate
> revocation in DANE.
There is no revocation in DANE.
There is only expiration through RRSIG Signature Expiriation
and invalidation through zone key roll-over.
>
> In that case the revocation process c
Am 04.03.2013 07:37, schrieb Paul Wouters:
> On Sun, 3 Mar 2013, James Cloos wrote:
>
>>> "RB" == Richard Barnes writes:
>>
>> RB> So short TTLs are the only tool you have.
>>
>> And that really ought to be sufficient.
>
> Just to clarify, it is the short RRSIGs that give you the "revocation
On Sun, 3 Mar 2013, James Cloos wrote:
"RB" == Richard Barnes writes:
RB> So short TTLs are the only tool you have.
And that really ought to be sufficient.
Just to clarify, it is the short RRSIGs that give you the "revocation"
of removing the record from the zone, not the short TTL. If you
>> "RB" == Richard Barnes writes:
>
> RB> So short TTLs are the only tool you have.
>
> And that really ought to be sufficient. It is not at all uncommon to have
TTLs as low as an hour or even a minute for some RRs without any significant
impact on the dns servers.
It also has the advantage
> "RB" == Richard Barnes writes:
RB> So short TTLs are the only tool you have.
And that really ought to be sufficient. It is not at all uncommon to
have TTLs as low as an hour or even a minute for some RRs without any
significant impact on the dns servers.
And even if it is for a TLS serve
ker
> Sent: Sunday, March 03, 2013 12:16 PM
> To: dane@ietf.org
> Subject: [dane] revocation of keys or certificates
>
> Comparing PKIX and DANE I regularly get asked about the certificate
> revocation in DANE. To me revocation is straight forward: you change keys
> in the TLSA record. B
: dane@ietf.org
Subject: [dane] revocation of keys or certificates
Comparing PKIX and DANE I regularly get asked about the certificate revocation
in DANE. To me revocation is straight forward: you change keys in the TLSA
record. BUT what if the key was propagated with a large TTL to the caches of
Comparing PKIX and DANE I regularly get asked about the certificate
revocation in DANE. To me revocation is straight forward: you change
keys in the TLSA record. BUT what if the key was propagated with a large
TTL to the caches of the worlds DNS servers. In that case the revocation
process can only
16 matches
Mail list logo
