On Mon, Jan 06, 2014 at 01:25:24PM -0500, Olafur Gudmundsson wrote:
> Section 3 says: "If an an OPENPGPKEY RR contains an expired OpenPGP
> public key, it MUST NOT be used for encryption."
>
> Suggest: "SHOULD" instead
Why should "expired" keys not be used? So long as the RRSIG on
the OPENPGPKEY record is not expired, the key is not "expired".
If none of the key metadata is authenticated independently from
DNSSEC, we only learn an expiration date modulo the validity of
the DNSSEC identity to key binding and if we trust that, why not
trust the key? If the key is really expired, it should be replaced
in DNS.
--
Viktor.
_______________________________________________
dane mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dane
