To:
Edward Lewis <Ed.Lewis@neustar.biz>
CC:
ietf-provreg@cafax.se
From:
Klaus Malorny <Klaus.Malorny@knipp.de>
Date:
Tue, 25 Oct 2005 21:02:01 +0200
In-Reply-To:
<a06200702bf841920cb3f@[192.35.167.157]>
Sender:
owner-ietf-provreg@cafax.se
User-Agent:
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.7) Gecko/20050414
Subject:
Re: [ietf-provreg] secdns draft
Edward Lewis wrote:
> At 18:49 +0200 10/25/05, Klaus Malorny wrote:
>
>
> To explain #2. Imagine a registrant creates a key and the (DS data
> representing the) key is sent to the registry. If the registrant's
> private key is then "stolen/guessed/exposed", the party that has gained
> illegitimate access to the key can abuse the key as long as the DS
> record is seen as valid. So, shortening the DS record means the window
> of vulnerability is lessened.
>
> The TTL record value was also considered, but the DNSSEC specs (RFC
> 4034, etc.) already specify the TTL value.
>
>> related to the above:
>>
>> ** what should the registry do at the end of the lifetime?
>
>
> The lifetime is relative. If there is no change, just regenerate the
> signature over the DS record. When to regenerate a signature is a
> deeper topic - some suggest regenerating signatures about 1/2 way
> through the lifetime just to be sure the signatures get out there in
> time. But never sign the DS set for more time than the prudent/agreed
> upon lifetime duration.
>
Thanks for the clarification. I thought the most simple solution to revoke a
key is to remove it from the zone, as it would break the chain of trust also.
But I have to admit that I am not yet fully aware of the effects of the various
caching mechanisms on the time a resolver can falsely assume the correctness of
a revoked key. I have to check that.
regards,
Klaus
___________________________________________________________________________
| |
| knipp | Knipp Medien und Kommunikation GmbH
------- Technologiepark
Martin-Schmeißer-Weg 9
Dipl. Inf. Klaus Malorny 44227 Dortmund
Klaus.Malorny@knipp.de Tel. +49 231 9703 0