Joe Abley wrote:
On 21-Aug-2009, at 10:08, W.C.A. Wijngaards wrote:
Is available for review and comment. This represents my take on how
to perform trust-anchor management for a validator without having
a system update mechanism (which works with unsafe DNS).
I don't remember whether I've ex
On 25-Aug-2009, at 10:53, Todd Glassey wrote:
Joe - the question becomes one of the integrity of the records process
Yes, that's my point.
That said there are all kinds of PKI Operations Practice reasons
including "its part of our policy to roll keys periodically"
If there's no practical
Joe Abley wrote:
On 25-Aug-2009, at 10:53, Todd Glassey wrote:
Joe - the question becomes one of the integrity of the records process
Yes, that's my point.
But your point is as a Systems Administrator rather than a Systems
Auditor - the reasons for rolling the keys periodically pertain to
On 25-Aug-2009, at 12:48, Todd Glassey wrote:
If there *is* a practical motivation to roll keys, then let's not
infer any trust at all from old keys.
I agree that if a KEY is rolled it needs to have its application as
a reliable TRUST ANCHOR revoked or terminated for events moving
forward
>
> If there's no practical motivation to roll keys, then let's not do it.
> Rolling keys is a pain.
>
> If there *is* a practical motivation to roll keys, then let's not
> infer any trust at all from old keys.
>
> Joe
please help me understand "practical motivation"?
--bill
_
On 25-Aug-2009, at 13:13, bmann...@vacation.karoshi.com wrote:
If there's no practical motivation to roll keys, then let's not do
it.
Rolling keys is a pain.
If there *is* a practical motivation to roll keys, then let's not
infer any trust at all from old keys.
please help me under
On Tue, Aug 25, 2009 at 01:37:32PM -0400, Joe Abley wrote:
>
> On 25-Aug-2009, at 13:13, bmann...@vacation.karoshi.com wrote:
>
> >>If there's no practical motivation to roll keys, then let's not do
> >>it.
> >>Rolling keys is a pain.
> >>
> >>If there *is* a practical motivation to roll keys,
On 25-Aug-2009, at 13:51, bmann...@vacation.karoshi.com wrote:
the phrase, "practical motivation" is highly subjective.
I agree, but I think that's ok.
hence the highly subjective nature of practical motivation.
who decides? that mouse in your pocket?
The person w
Joe Abley wrote:
On 25-Aug-2009, at 12:48, Todd Glassey wrote:
If there *is* a practical motivation to roll keys, then let's not
infer any trust at all from old keys.
I agree that if a KEY is rolled it needs to have its application as a
reliable TRUST ANCHOR revoked or terminated for events m
On 25-Aug-2009, at 15:13, Todd Glassey wrote:
Joe Abley wrote:
This is all very interesting speculation, but I'm not sure I
understand how the use of old keys for forensic purposes relates to
the problem of trying to establish a new trust anchor after a
period of disconnection.
Joe
Joe Abley wrote:
On 25-Aug-2009, at 15:13, Todd Glassey wrote:
Joe Abley wrote:
This is all very interesting speculation, but I'm not sure I
understand how the use of old keys for forensic purposes relates to
the problem of trying to establish a new trust anchor after a period
of discon
[redirected to DNSOP]
Michael,
On Aug 25, 2009, at 1:50 PM, Michael Graff wrote:
All I'm saying is that I don't want someone to benchmark current DNS
implementations (which are likely optimized only for UDP) and then use
this as proof that the sky is falling.
What would you prefer us benchmar
Joe Abley wrote:
On 21-Aug-2009, at 10:08, W.C.A. Wijngaards wrote:
Is available for review and comment. This represents my take on how
to perform trust-anchor management for a validator without having
a system update mechanism (which works with unsafe DNS).
I don't remember whether I've exp
> From: David Conrad
> Date: Tue, 25 Aug 2009 15:45:58 -0700
>
> Since time is quite short for folks to upgrade their servers and given
> some root server operators are financially / operationally / politically
> constrained in how they would go about doing the upgrade, it seems to me
> that curr
No hat.
On Wed, Aug 26, 2009 at 04:11:26AM +, Paul Vixie wrote:
> since time is short, i would prefer a server-side change, supported by a
> spec change (which means this would head back to namedroppers@) whereby
> (bufsize<1220 && DO=1) would be treated as (DO=0).
Of course, some have argu
* Paul Vixie:
> since time is short, i would prefer a server-side change, supported by a
> spec change (which means this would head back to namedroppers@) whereby
> (bufsize<1220 && DO=1) would be treated as (DO=0).
And what does the resolver with a trust anchor do with the DO=0
answer? Requery
16 matches
Mail list logo
