Re: [babel] [Babel-users] key rotation take #2

Toke Høiland-Jørgensen <> Wed, 28 November 2018 12:09 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 47649130DCE for <>; Wed, 28 Nov 2018 04:09:10 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 6ZEtrdf1J2hu for <>; Wed, 28 Nov 2018 04:09:08 -0800 (PST)
Received: from ( [IPv6:2001:470:dc45:1000::1]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 9533812D4EF for <>; Wed, 28 Nov 2018 04:09:08 -0800 (PST)
From: Toke =?utf-8?Q?H=C3=B8iland-J=C3=B8rgensen?= <>
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple;; s=20161023; t=1543406947; bh=utqmb/zJJoKkU/1GiZEwNU5FQ/ettjSXjE4Zd8+Iqg4=; h=From:To:Subject:In-Reply-To:References:Date:From; b=gbWMax1cVerM7mcXqRyLoKW9xS0ffOazJPMmwj+oooyHzyTLBVDwoLOFtX99Rkzi/ draDGt/RB1vQlV5VRLodT5DzoWWNYmXv2e3NeQJyMfKy0QmsjRcx7SCrVRbMYgY2gs AW+/N2OXlEJ9BEzBhDT/X1eTjE1mn2vkWTifyo6lmniWPpQNvPmg436/+rMfU6XsXc Nn4lCKWESqySt+GnNCuO+gKWN71XqcgoZjD0kRlgi3XSS6J84DR5Or9FINbddCDjgY rEcfCyy66mh8wjh4lqhrwjE6QwzdMMUSttiFTjM82uDIdErduhat9YcGgl8fc2QUzO 5BSRnQXVRUCPw==
To: Dave Taht <>,,
In-Reply-To: <>
References: <>
Date: Wed, 28 Nov 2018 13:09:05 +0100
X-Clacks-Overhead: GNU Terry Pratchett
Message-ID: <>
MIME-Version: 1.0
Content-Type: text/plain
Archived-At: <>
Subject: Re: [babel] [Babel-users] key rotation take #2
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "A list for discussion of the Babel Routing Protocol." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 28 Nov 2018 12:09:10 -0000

Dave Taht <> writes:

> so we invent a new keyword "serial".

So what you're trying to express here is the notion of a "receive-only"
key that is not used for signing outgoing packets, right? If so, I think
it would be better to express that explicitly as a property of the key
config that can be changed on a per-key basis. For one thing, 'serial'
is misleading as it sounds like something that affects the wire format,
and for another with your proposal it becomes difficult to re-instate a
previously retired key (say, if you want to restore connectivity to an
old router that dropped off while you were changing keys).