I believe that Paul Wouters has made a compelling case regarding the
current state of keying practices in DNSSEC deployment today.
There is sufficient cryptographic rigor to merit logging this data for
review of correct assessment as of the point in time at which certificate
issuance decisioning wa
On Tue, 22 May 2018, Ryan Sleevi wrote:
I know of 12400 512 bit RSA ZSK's in a total of about 6.5 million. And I
consider those to be an operational mistake.
http://tma.ifip.org/wordpress/wp-content/uploads/2017/06/tma2017_paper58.pdf
has some fairly damning empirical data about th
Right, this is a fair and excellent summary, and there are things I would
improve about my responses if I had access to a time machine. Constraints on
my time are pretty brutal right now, and that does not always allow me to
express myself as well as I would like.
I perceived, possibly inco
Tim,
I definitely think we've gone off the rails here, so I want to try to right
the cart here. You jumped in on a thread talking about DNSSEC providing
smoking guns [1] - which is a grandstanding bad idea. It wasn't yours, but
it's one that you jumped into the middle of the discussion, and began
You’re free to misattribute whatever motives you want to me. They’re not true.
In fact, I would like to call on you yet again to cease speculating and
imputing malicious motives onto well-intentioned posts.
The CAA logging requirements failed in this instance. How do we make them
better?
Thanks Wayne and Ryan, your feedback always helps us to improve.
I'll respond in a separate message to Ryan concerns/questions.
Only about the audit periods... it's not easy to synchronize everything, so
what we did is the following:
- A point-in-time audit after the Root was created
- A three-m
6 matches
Mail list logo
