Re: [dnsext] SIG inception/expiration
Miek Gieben <miek@miek.nl> Mon, 02 January 2012 14:03 UTC
Return-Path: <dnsext-bounces@ietf.org>
X-Original-To: namedroppers-archive-gleetwall6@lists.ietf.org
Delivered-To: ietfarch-namedroppers-archive-gleetwall6@ietfa.amsl.com
Received: from ietfa.amsl.com (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D52E721F849B; Mon, 2 Jan 2012 06:03:41 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ietf.org; s=ietf1; t=1325513021; bh=YLjNqkuVPdeVdoLNN1I7H0LCQ7kk1g6rDsGXrdb7kqA=; h=Date:From:To:Message-ID:References:MIME-Version:In-Reply-To: Subject:List-Id:List-Unsubscribe:List-Archive:List-Post:List-Help: List-Subscribe:Content-Type:Sender; b=j4YSfDLJ7xRsS3216N1FOd/sA8UJCtZu2g0ujGRdRu6BKbd6LWvQjjO2t1QYABx3a IApbqJMgo9bvfBzcbj165GOgCPZU8RMEoi1AWz58eSIjFC/7niCRs/yWSilzlpvh/k RDEsJtwSVXxEfuiXVj8Q02COWCe3+enBtwf5sylc=
X-Original-To: dnsext@ietfa.amsl.com
Delivered-To: dnsext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2209C21F849B for <dnsext@ietfa.amsl.com>; Mon, 2 Jan 2012 06:03:40 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.393
X-Spam-Level:
X-Spam-Status: No, score=-1.393 tagged_above=-999 required=5 tests=[AWL=1.207, BAYES_00=-2.599, NO_RELAYS=-0.001]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NBYJBRmQtWds for <dnsext@ietfa.amsl.com>; Mon, 2 Jan 2012 06:03:39 -0800 (PST)
Received: from elektron.atoom.net (cl-201.ede-01.nl.sixxs.net [IPv6:2001:7b8:2ff:c8::2]) by ietfa.amsl.com (Postfix) with ESMTP id A103A21F846B for <dnsext@ietf.org>; Mon, 2 Jan 2012 06:03:39 -0800 (PST)
Received: by elektron.atoom.net (Postfix, from userid 1000) id 1CF243FFFB; Mon, 2 Jan 2012 15:03:38 +0100 (CET)
Date: Mon, 02 Jan 2012 15:03:38 +0100
From: Miek Gieben <miek@miek.nl>
To: dnsext@ietf.org
Message-ID: <20120102140337.GJ12764@miek.nl>
Mail-Followup-To: dnsext@ietf.org
References: <20120102104613.GB12764@miek.nl> <20120102135227.EAA9D1AC279D@drugs.dv.isc.org>
MIME-Version: 1.0
In-Reply-To: <20120102135227.EAA9D1AC279D@drugs.dv.isc.org>
User-Agent: Vim/Mutt/Linux
X-Home: http://www.miek.nl
Subject: Re: [dnsext] SIG inception/expiration
X-BeenThere: dnsext@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: DNS Extensions working group discussion list <dnsext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsext>, <mailto:dnsext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsext>
List-Post: <mailto:dnsext@ietf.org>
List-Help: <mailto:dnsext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsext>, <mailto:dnsext-request@ietf.org?subject=subscribe>
Content-Type: multipart/mixed; boundary="===============0677805671646483366=="
Sender: dnsext-bounces@ietf.org
Errors-To: dnsext-bounces@ietf.org
[ Quoting <marka@isc.org> at 00:52 on Jan 3 in "Re: [dnsext] SIG inc..." ] > > In message <20120102104613.GB12764@miek.nl>, Miek Gieben writes: > > Hello list, > > > > A recent dnssec-deployment discussion led to the question on why the > > expiration/inception time in the RRSIG are in the "wrong" order. > > Actually the order makes lots of sense. Expiration time is almost > always the critical value in a signature. Inception time is almost > always in the past. One could completely remove inception time > and still have secure signatures. But was this the original reason to change the order? And someone, not trained in the Jedi ways of DNSSEC, will look at an RRSIG and assume the first time stamp is the inception and the second one is expiration. grtz, -- Miek
_______________________________________________ dnsext mailing list dnsext@ietf.org https://www.ietf.org/mailman/listinfo/dnsext
- [dnsext] SIG inception/expiration Miek Gieben
- Re: [dnsext] SIG inception/expiration Mark Andrews
- Re: [dnsext] SIG inception/expiration Miek Gieben
- Re: [dnsext] SIG inception/expiration bmanning
- Re: [dnsext] SIG inception/expiration Edward Lewis
- Re: [dnsext] SIG inception/expiration Donald Eastlake
- Re: [dnsext] SIG inception/expiration John Dickinson
- Re: [dnsext] SIG inception/expiration Olafur Gudmundsson
- Re: [dnsext] SIG inception/expiration bmanning
- Re: [dnsext] SIG inception/expiration Mark Andrews
- Re: [dnsext] SIG inception/expiration Miek Gieben