On Jan 31, 2011, at 2:32 PM, Joe Abley wrote:
It's scrappy, and it's little more than I have said on this list in the past
week, but I thought it might be handy to have in written form.
I'm not entirely sure I grokked section 6. It sounds like you're proposing
that we use locally-configured
On 2011-01-31 14:32, Joe Abley wrote:
Per below, Dave and I scribbled some thoughts down about how we might
recommend validators obtain a useful root zone trust anchor on
startup.
Wow, that's fast service. :-)
Individual trust anchors are also packaged as X.509 identity
certificates,
[we should probably choose either dnsop or dnsext for this, and stop posting to
both, sorry for starting that trend]
On 2011-01-31, at 16:44, John Bashinski wrote:
On 2011-01-31 14:32, Joe Abley wrote:
Individual trust anchors are also packaged as X.509 identity
certificates, signed by
On Mon, Jan 31, 2011 at 5:14 PM, Joe Abley jab...@hopcount.ca wrote:
Either way, it's a local trust anchor... and I don't see why X.509
keys are any less compromisable than DNS keys...
The difference is that X.509 keys, as deployed by CAs, have expected
lifetimes measured in decades.
On 2011-01-31, at 15:26, Ted Lemon wrote:
On Jan 31, 2011, at 2:32 PM, Joe Abley wrote:
It's scrappy, and it's little more than I have said on this list in the past
week, but I thought it might be handy to have in written form.
I'm not entirely sure I grokked section 6. It sounds like
Top-replying here, to attempt a high-level suggestion on how to get
some close approximation of time, using DNS/DNSSEC exclusively.
(Warning to those with weak stomachs - this is mildly evil stuff.)
First, without any assurances on the accuracy of local time, the best
that can be achieved
On Tue, 1 Feb 2011, Brian Dickson wrote:
However, once you have a trust anchor (root key) that you have a lot
of confidence in, you can then do some cute DNSSEC tricks to get a
rough idea of time, and then a better idea of time.
First, look at the contents of the RRSIGs for the root. If you
