To:
Miek Gieben <miekg@open.nlnetlabs.nl>
Cc:
Edward Lewis <lewis@tislabs.com>, Dan Massey <masseyd@isi.edu>, dnssec@cafax.se
From:
Edward Lewis <lewis@tislabs.com>
Date:
Thu, 12 Apr 2001 14:59:50 -0400
Delivery-Date:
Fri Apr 13 08:55:41 2001
In-Reply-To:
<20010410123130.A10671@open.nlnetlabs.nl>
Sender:
owner-dnssec@cafax.se
Subject:
Re: Signature at parent (draft-ietf-dnsop-parent-sig-00.txt)
At 6:31 AM -0400 4/10/01, Miek Gieben wrote: >On Fri, Apr 06, 2001 at 08:05:42PM -0400, Edward Lewis wrote: >> One of the smokdering debates is why there is the need for roll over. On >> the one hand, old SIGs might still be fine if the old key is around. On >> the other hand, isn't the fact that a new key is available mean you should >> forget the old data? >you will need keyrollovers whenever a key is compromised, key over-usage, new >sys admins, etc, etc. Sorry about being unclear. When I wrote that I meant to express this: "One of the smoldering debates about key rollover is the need to retain the old key." The need to change keys is known, I just dropped a phrase or two when I was typing. (Too many fine lunches and dinners.) The debate is whether last month's key should be used for anything other than authenticating the new key to the parent. -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Edward Lewis NAI Labs Phone: +1 443-259-2352 Email: lewis@tislabs.com Dilbert is an optimist. Opinions expressed are property of my evil twin, not my employer.