Re: Signature at parent (draft-ietf-dnsop-parent-sig-00.txt)
Edward Lewis <lewis@tislabs.com> Mon, 09 April 2001 14:50 UTC
Received: from psg.com (exim@[147.28.0.62]) by ietf.org (8.9.1a/8.9.1a) with SMTP id KAA08385 for <dnsext-archive@lists.ietf.org>; Mon, 9 Apr 2001 10:50:22 -0400 (EDT)
Received: from lserv by psg.com with local (Exim 3.16 #1) id 14mccY-000O7z-00 for namedroppers-data@psg.com; Mon, 09 Apr 2001 07:26:22 -0700
Received: from h236.s254.netsol.com ([216.168.254.236]) by psg.com with esmtp (Exim 3.16 #1) id 14mccX-000O7D-00 for namedroppers@ops.ietf.org; Mon, 09 Apr 2001 07:26:21 -0700
Received: (from markk@localhost) by h236.s254.netsol.com (8.11.0/8.11.0) id f39EHIg04793 for namedroppers@ops.ietf.org; Mon, 9 Apr 2001 10:17:18 -0400 (EDT)
Received: from smtp02.mrf.mail.rcn.net ([207.172.4.61]) by psg.com with esmtp (Exim 3.16 #1) id 14mScR-0005Sy-00 for namedroppers@ops.ietf.org; Sun, 08 Apr 2001 20:45:35 -0700
Received: from 207-172-148-202.s11.as3.anp.md.dialup.rcn.com ([207.172.148.202]) by smtp02.mrf.mail.rcn.net with esmtp (Exim 3.16 #5) id 14mScO-0000AV-00 ; Sun, 08 Apr 2001 23:45:33 -0400
X-Sender: lewis@pop.tislabs.com
Message-Id: <v03130303b6f4081499b4@[192.94.214.136]>
In-Reply-To: <20010405154908.A92004@open.nlnetlabs.nl>
References: <20010403125414.A10897@snarl.east.isi.edu>; from masseyd@isi.edu on Tue, Apr 03, 2001 at 12:54:14PM -0400 <200103301035.MAA20499@omval.tednet.nl> <20010403125414.A10897@snarl.east.isi.edu>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Date: Fri, 06 Apr 2001 20:05:42 -0400
To: Miek Gieben <miekg@open.nlnetlabs.nl>
From: Edward Lewis <lewis@tislabs.com>
Subject: Re: Signature at parent (draft-ietf-dnsop-parent-sig-00.txt)
Cc: Dan Massey <masseyd@isi.edu>, namedroppers@ops.ietf.org
Sender: owner-namedroppers@ops.ietf.org
Precedence: bulk
At 9:49 AM -0400 4/5/01, Miek Gieben wrote: >2.2. SIG expiration considerations > The expiration lifetime of the parental SIG over the >child's zone KEY MUST be kept as short as possible. A good >value is one day. If there is a child KEY compromise, the >SIGs for that zone are only valid for as long as the >parental SIG is valid. The selfsigned zone KEY stored in the >child's zone can have a much longer expiration lifetime. >The SIG at the child does not serve any purpose, a lifetime >measured in years is not uncommon. "MUST be kept as short as possible" is poorly worded. The use of the subjective "as possible" makes the use of MUST incorrect, a SHOULD would be more appropriate. I don't know if a hard requirement can be placed here. Ultimately, it's up to the registry to decide how often they will resign the keys. Technically, it is good to limit the lifetime of a SIG, but this incurs a staffing cost. (Ya' know, this discussion borders on dnsop quite frequently.) > >----------- >I don't (yet) know if it matters if a child has a shorter >lifetime on the sig than the parent. The meanings of the SIG by the parent and the SIG by the child are almost unrelated. The parent says "this key is good" and the child says "I have the private key for this." Because of this, I can't justify tying the two SIG durations in a specification. >We are not sure how or why you come to this conclusion from section >4. The idea was, and still is, to have a short transition period >where both the old and new key are active. One of the smokdering debates is why there is the need for roll over. On the one hand, old SIGs might still be fine if the old key is around. On the other hand, isn't the fact that a new key is available mean you should forget the old data? Now, the desire to use the old key to sign the new key set is the first requirement I have heard that justifies the continued use of the old key once the new key is present. -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Edward Lewis NAI Labs Phone: +1 443-259-2352 Email: lewis@tislabs.com Dilbert is an optimist. Opinions expressed are property of my evil twin, not my employer. to unsubscribe send a message to namedroppers-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body.
- Re: Signature at parent (draft-ietf-dnsop-parent-… Ted Lindgreen
- Re: Signature at parent (draft-ietf-dnsop-parent-… Olaf Kolkman
- Re: Signature at parent (draft-ietf-dnsop-parent-… Roy Arends
- Re: Signature at parent (draft-ietf-dnsop-parent-… Miek Gieben
- Re: Signature at parent (draft-ietf-dnsop-parent-… Edward Lewis
- Re: Signature at parent (draft-ietf-dnsop-parent-… Edward Lewis
- Re: Signature at parent (draft-ietf-dnsop-parent-… Edward Lewis
- Re: Signature at parent (draft-ietf-dnsop-parent-… John Gilmore
- Re: Signature at parent (draft-ietf-dnsop-parent-… Olaf Kolkman
- Re: Signature at parent (draft-ietf-dnsop-parent-… Brian Wellington
- Re: Signature at parent (draft-ietf-dnsop-parent-… Ted Lindgreen
- Re: DNS vs. non-DNS Data (was Re: Signature at pa… Kevin Darcy
- Re: Signature at parent (draft-ietf-dnsop-parent-… Ted Lindgreen
- Re: DNS vs. non-DNS Data (was Re: Signature at pa… Eric A. Hall
- Re: Signature at parent (draft-ietf-dnsop-parent-… Dan Massey
- DNS vs. non-DNS Data (was Re: Signature at parent… Kevin Darcy
- Re: Signature at parent (draft-ietf-dnsop-parent-… Randy Bush
- Re: Signature at parent (draft-ietf-dnsop-parent-… Ted Lindgreen
- Re: Signature at parent (draft-ietf-dnsop-parent-… Peter Koch
- Re: DNS vs. non-DNS Data (was Re: Signature at pa… Eric A. Hall
- Re: Signature at parent (draft-ietf-dnsop-parent-… Brian Wellington
- Re: Signature at parent (draft-ietf-dnsop-parent-… Edward Lewis
- Re: Signature at parent (draft-ietf-dnsop-parent-… Edward Lewis