To:
Edward Lewis <lewis@tislabs.com>
Cc:
Dan Massey <masseyd@isi.edu>, dnssec@cafax.se
From:
Miek Gieben <miekg@open.nlnetlabs.nl>
Date:
Tue, 10 Apr 2001 12:31:30 +0200
In-Reply-To:
<v03130303b6f4081499b4@[192.94.214.136]>; from lewis@tislabs.com on Fri, Apr 06, 2001 at 08:05:42PM -0400
Sender:
owner-dnssec@cafax.se
Subject:
Re: Signature at parent (draft-ietf-dnsop-parent-sig-00.txt)
On Fri, Apr 06, 2001 at 08:05:42PM -0400, Edward Lewis wrote: > >2.2. SIG expiration considerations > > The expiration lifetime of the parental SIG over the > "MUST be kept as short as possible" is poorly worded. The use of the > subjective "as possible" makes the use of MUST incorrect, a SHOULD would be > more appropriate. > > I don't know if a hard requirement can be placed here. Ultimately, it's up > to the registry to decide how often they will resign the keys. > Technically, it is good to limit the lifetime of a SIG, but this incurs a > staffing cost. > > (Ya' know, this discussion borders on dnsop quite frequently.) i'm going to move this section to security considerations and change it some bit. > One of the smokdering debates is why there is the need for roll over. On > the one hand, old SIGs might still be fine if the old key is around. On > the other hand, isn't the fact that a new key is available mean you should > forget the old data? you will need keyrollovers whenever a key is compromised, key over-usage, new sys admins, etc, etc. grtz Miek