[saag] RFC 5011 to IS question
Stephen Farrell <stephen.farrell@cs.tcd.ie> Wed, 28 November 2012 17:31 UTC
Return-Path: <stephen.farrell@cs.tcd.ie>
X-Original-To: saag@ietfa.amsl.com
Delivered-To: saag@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix)
with ESMTP id 0C41A21F84B2 for <saag@ietfa.amsl.com>;
Wed, 28 Nov 2012 09:31:10 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.561
X-Spam-Level:
X-Spam-Status: No, score=-102.561 tagged_above=-999 required=5 tests=[AWL=0.038,
BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com
[127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Q1wf0Od1g+0Y for
<saag@ietfa.amsl.com>; Wed, 28 Nov 2012 09:31:09 -0800 (PST)
Received: from mercury.scss.tcd.ie (mercury.scss.tcd.ie [134.226.56.6]) by
ietfa.amsl.com (Postfix) with ESMTP id 67B7221F8472 for <saag@ietf.org>;
Wed, 28 Nov 2012 09:31:09 -0800 (PST)
Received: from localhost (localhost [127.0.0.1]) by mercury.scss.tcd.ie
(Postfix) with ESMTP id 6E39FBE5D; Wed, 28 Nov 2012 17:30:47 +0000 (GMT)
X-Virus-Scanned: Debian amavisd-new at scss.tcd.ie
Received: from mercury.scss.tcd.ie ([127.0.0.1]) by localhost
(mercury.scss.tcd.ie [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id
1FB0sFPHtLfv; Wed, 28 Nov 2012 17:30:46 +0000 (GMT)
Received: from [IPv6:2001:770:10:203:9999:53ef:87e7:8281] (unknown
[IPv6:2001:770:10:203:9999:53ef:87e7:8281]) by mercury.scss.tcd.ie (Postfix)
with ESMTPSA id 8B612BE5C; Wed, 28 Nov 2012 17:30:46 +0000 (GMT)
Message-ID: <50B64A46.5050903@cs.tcd.ie>
Date: Wed, 28 Nov 2012 17:30:46 +0000
From: Stephen Farrell <stephen.farrell@cs.tcd.ie>
User-Agent: Mozilla/5.0 (X11; Linux x86_64;
rv:17.0) Gecko/17.0 Thunderbird/17.0
MIME-Version: 1.0
To: "saag@ietf.org" <saag@ietf.org>, dns-dir@ops.ietf.org
X-Enigmail-Version: 1.4.6
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Cc: Michael StJohns <mstjohns@comcast.net>, Ralph Droms <rdroms.ietf@gmail.com>
Subject: [saag] RFC 5011 to IS question
X-BeenThere: saag@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Security Area Advisory Group <saag.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/saag>,
<mailto:saag-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/saag>
List-Post: <mailto:saag@ietf.org>
List-Help: <mailto:saag-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/saag>,
<mailto:saag-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 28 Nov 2012 17:31:10 -0000
Hi, The IESG recently are considering a request to move RFC 5011 [1] to Internet Standard. This is a fine RFC but I have one question and I'd be interested if anyone here has input. Should we re-think any of the timer values here in the light of the fact that it took a few weeks to find out about diginotar? In particular the 30 day add hold-down timer might arguably be better off at ~90 days if additions are planned well ahead of time and there are no bad side effects of a longer timer and we assume that gossipy protocols might detect bad new trust points in a few weeks, but not necessarily sooner. (Say if detection needed a clueful traveller to go to place X, see the bad new trust point and return to somewhere where the bad new trust point isn't seen.) I think the answer is "its still ok" and plan to remove my discuss on this shortly, but wanted to check in case others who know more about DNSSEC think differently. (Note - nobody brought this up during IETF LC, its just me asking.) Thanks, S. [1] http://tools.ietf.org/html/rfc5011
- [saag] RFC 5011 to IS question Stephen Farrell
- Re: [saag] RFC 5011 to IS question Wes Hardaker