Re: [DNSOP] regarding dnssec-key-timing RFC 7583
Michael StJohns <msj@nthpermutation.com> Mon, 10 September 2018 20:07 UTC
Return-Path: <msj@nthpermutation.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EBFAA130FBD for <dnsop@ietfa.amsl.com>; Mon, 10 Sep 2018 13:07:06 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.909
X-Spam-Level:
X-Spam-Status: No, score=-1.909 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, T_DKIMWL_WL_MED=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=nthpermutation-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id FyWPWkaz_LbJ for <dnsop@ietfa.amsl.com>; Mon, 10 Sep 2018 13:07:04 -0700 (PDT)
Received: from mail-qt0-x231.google.com (mail-qt0-x231.google.com [IPv6:2607:f8b0:400d:c0d::231]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A9BFA130FA0 for <dnsop@ietf.org>; Mon, 10 Sep 2018 13:07:04 -0700 (PDT)
Received: by mail-qt0-x231.google.com with SMTP id x7-v6so25714884qtk.5 for <dnsop@ietf.org>; Mon, 10 Sep 2018 13:07:04 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nthpermutation-com.20150623.gappssmtp.com; s=20150623; h=subject:to:references:from:message-id:date:user-agent:mime-version :in-reply-to:content-language; bh=UjPwbKgvI05wObOqvzX/TZvWc/r7Ew9ESBdMmE61/zE=; b=FOgyQQQo/LMsFbn2cUOZv/c2kzVehUzWePgOq1x/M7H6h0YiHFbHWpgFRS3UK+rvsw aY8y8Tub8rzF8ucNuJInX93FBpUlIELgkpRUoxz97yeP9Nqr/jP7SG0j1BaPJE/9Gy/9 lG4Cp97iLo9T463jIx22AC/Vtg8LzTUzz46i8MlpMz+9OJ40Ec0VYgskR+6faOTmiCeK ov1RI5php2RsH47KBa3oZboPOI++sDGJ9k/LbbRJlD1xCwfT93A3RsbG2fKjgECHXrB6 T41aLfYmj5ZeVbIz6PbaWa+NzjXQUrHh2FTW4ea3xWrdT2S9YnxPY5kaq3K8Uholqa1G +zXw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-language; bh=UjPwbKgvI05wObOqvzX/TZvWc/r7Ew9ESBdMmE61/zE=; b=aLXK498jZzjfkwTiHm7hhGXTleidhIeiYoAI3SFqynau0UqbEMg/DqwJp95arAZ2qg PP+4syNggcGM04IIuFTsuscgnGSwrP58SIwbS9gt7bT0Mq/WHQJROyM8YxcI6fsFMYp4 X7elszVLQB+pRE+C1rEVND1QZA/eqjtDapWT4sIt1fQRNcZMWdmItZ7WXSmt3cPJWD7C TNFKQOwS2CMvidTVzGA91N30CLqHIGr0KcdELMyUJSv44C+Dh/s7TerJRGnqw7g/S2uF XRprE44BEa+qkxMnKjpeP0dgHh6SLlBsUOAh/Q/jhzruEbos4brXsgFnCuYaUtQE+KGS HD4g==
X-Gm-Message-State: APzg51AXdCSNiTicsecdhatUNIH58yXWv/6WtvSHllCJr2+6s5WbaHiY AhVwbvRzcEmMwN0kN2EcBnxSSARJfi4=
X-Google-Smtp-Source: ANB0VdYiP81tEih0fIBGKxM3qi9wAQFzbhL9aN+30IklPsCUb1rukH83abawPnEHrv8jkPtow9enVw==
X-Received: by 2002:a0c:f94e:: with SMTP id i14-v6mr16159831qvo.50.1536610023268; Mon, 10 Sep 2018 13:07:03 -0700 (PDT)
Received: from ?IPv6:2601:152:4400:4013:65d0:6731:3da6:3e34? ([2601:152:4400:4013:65d0:6731:3da6:3e34]) by smtp.gmail.com with ESMTPSA id 45-v6sm12003135qtt.89.2018.09.10.13.07.01 for <dnsop@ietf.org> (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Mon, 10 Sep 2018 13:07:02 -0700 (PDT)
To: dnsop@ietf.org
References: <CAMMaX1ZyemZNhyQvAdb7tB-bY20g6T9+viL7ytniO6-tDDqkXg@mail.gmail.com>
From: Michael StJohns <msj@nthpermutation.com>
Message-ID: <9605c0cb-e87e-f85d-7651-7fcf41438cd3@nthpermutation.com>
Date: Mon, 10 Sep 2018 16:07:01 -0400
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Thunderbird/52.9.1
MIME-Version: 1.0
In-Reply-To: <CAMMaX1ZyemZNhyQvAdb7tB-bY20g6T9+viL7ytniO6-tDDqkXg@mail.gmail.com>
Content-Type: multipart/alternative; boundary="------------B015FCC7CECA28E2D9B530ED"
Content-Language: en-US
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/kc5QE_Z8zZ--L3659XhloQWe48g>
Subject: Re: [DNSOP] regarding dnssec-key-timing RFC 7583
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 10 Sep 2018 20:07:17 -0000
Generally, CRLs work reasonably well for revoking intermediate CAs and leaf certificates, not so well for dealing with trust anchors. CRLs work by the parent signing the revocation (and by being able to re-issue new certificates). Root certs/trust anchors by definition do not have parents. There's a lot more - but that's the gist of the issue. Mike On 9/10/2018 2:56 PM, shabbir ali wrote: > Hi all, > My question is that instead of messing with the DNSSEC key Rollover > timing and all that manual and automation tools dependencies,**why not > simply use a key revocation list just like a certificate revocation > list (CRL) ? > > > _______________________________________________ > DNSOP mailing list > DNSOP@ietf.org > https://www.ietf.org/mailman/listinfo/dnsop
- [DNSOP] regarding dnssec-key-timing RFC 7583 shabbir ali
- Re: [DNSOP] regarding dnssec-key-timing RFC 7583 Michael StJohns
- Re: [DNSOP] regarding dnssec-key-timing RFC 7583 Mark Andrews