> This change would require certificates to be re-issued (or possibly > keys to be rolled) all the way down from Trust Anchors. When the > parent CA re-issues a certificate for the child CA with a new style > SKI, then the child will have to re-issue its products with a new AKI. > > This is not impossible, but not trivial either. Especially if a > delegated model is used.
have we done a dnssec-v1? we should be able to change hashes without a flag day. if not, we need to think. randy _______________________________________________ sidr mailing list sidr@ietf.org https://www.ietf.org/mailman/listinfo/sidr