Re: [dnsext] historal root keys for upgrade path?

[Paul Wouters <paul@xelerance.com>]

On Wed, 26 Jan 2011, Phillip Hallam-Baker wrote:

> If you want to distribute keys for immediate use in the DNS, use the infrastructure designed for that purpose.
> If you want to perform long term trust root management, use an architecture that is designed for that purpose.
> 
> X.509v3 is designed to deal with TA keys that are valid for decades. There is experience doing that. There is infrastructure that exists to perform
> management of such keys in a high security environment. And it is possible to outsource management of such to several providers and is is possible to buy
> the equipment to do so in-house.

Which CA(s)s would we have to make the products trust? IANA seems to
be using Godaddy today. Is that guaranteed to last forever? If not,
then how is a device supposed to know which CA IANA has chosen at some
time in the future? Do we just have to trust all 1500+ commercial CA? 
And deal with all the revocations? And how to install new ones, using
what trust? And remember, this is a switch or router, not a browser or
an OS with the "update now" button.

Remember this has to work on a product that has just been factory defaulted
to a config from 10 years ago, and the device is EOL with no firmware upgrades.

> As a general rule, if I install hardware in my enterprise, it is going to have to chain to my root or one that I select.

That's awesome for your enterprise, but the question here transcends
the single enterprise or the single vendor area.

What we are looking at is some guaranteed (preferably DNS but could be http)
based linked list of DNSKEY's that sign each other to show transfer of trust.

This means with ONE original trusted key, the device can climb up to the current
root key in a trusted way. Adding X.509/CA chains solves nothing and adds more
complications.

Paul