Scott
On Sep 30, 2008, at 11:26 AM, TS Glassey wrote:
That is actually the NIST recommendations in SP 800-57 part 1 Public keys used for authentication should have a use lifetime of 1-2 years, but can be kept around a little longer to validate pre-existing signatures after that period. ScottWhat do you mean "Kept Around" - those keys need to be re-creatable through some Key Recovery Proces. especially since the master DNS Root is a direct piece of US Government Property until the NTIA MOU is codified in a formal conveyance of those Intellectual Properties. Yes I am talking about the MOU that NTIA wrote under Nancy Victory Esq's hand several years ago.That said, since DNS Lookups and the records of them are key pieces of 'evidence of activity' on the Internet or as a part of a larger private secure IP Network mand stem from a US Government owned DNS Root, the Root and its operations are constrained by FISCAM and the requiremensts of FISMA here...So let me ask this, rather than ignoring the obvious why not look the use of DNS as a process to resolve an address and the handshaking processes in DNSSec provide the security model therein to meet the existing rules of evidence and step from there to the platform of needing to create culpable digital evidence that will meet the Presiding Court requirement's of any Nation willing to rely on this service???This has ABSOLUTELY NOTHING to do with technology, it has to do with Social Process and that is the key win. We need logging of DNS Lookups that meets the reliable evidence requirement's put in place by the US Federal Rules of Civil Procedure.Todd Glassey--bill On Sun, Sep 28, 2008 at 09:14:34PM -0700, Paul Hoffman wrote:In the last paragraph of 3.1.1, remove the last sentence ("Although,given a long enough key..."). Replace it with the following paragraphs: There are two schools of thought on rolling a KSK that is not a trust anchor:- It should be done regularly (possibly every few months) so thata key rollover remains an operational routine. - It should only be done when it is known or strongly suspected that the key has been compromised in order to reduce the stability issues on systems where the rollover does not happen cleanly. There is no widespread agreement on which of these two schools of thought is better for different deployments of DNSSEC. There is a stability cost every time a non-anchor KSK is rolled over, but it is possibly low if the communication between the child and the parent is good. On the other hand, the only completely effective way to tell if the communication is good is to test it periodically. Thus, rolling a KSK with a parent is only done for two reasons: to test and verify the rolling system to prepare for an emergency, and in the case of an actual emergency.Because of the difficulty of getting all users of a trust anchor toreplace an old trust anchor with a new one, a KSK that is a trust anchor should never be rolled unless it is known or strongly suspected that the key has been compromised.Remove the first paragraph of 3.3; it is now covered in 3.1.1 (and itwas wrong about the cryptography). Change the second paragraph of 3.3 to:From a purely operational perspective, a reasonable key effectivityperiod for KSKs that have a parent zone is 13 months, with the intent to replace them after 12 months. An intended key effectivity period of a month is reasonable for Zone Signing Keys. This annual rollover gives operational practice to rollovers. Ignoring the operational perspective, a reasonable effectivity period for KSKs that have a parent zone is 25 years or longer. That is, if one does not plan to test the rollover procedure, the key should be effective essentially forever, and then only rolled over in case of emergency.In the first paragraph of 4.2, replace the first two sentences with:Regardless of whether a zone uses periodic key rollovers in order to practice for emergencies, or only rolls over keys in an emergency, key rollovers are a fact of life when using DNSSEC. --Paul Hoffman, Director --VPN Consortium _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop_______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop=================================== Scott Rose NIST [EMAIL PROTECTED] ph: +1 301-975-8439 http://www-x.antd.nist.gov/dnssec http://www.dnsops.gov/ =================================== _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop-------------------------------------------------------------------------------- No virus found in this incoming message. Checked by AVG - http://www.avg.comVersion: 8.0.173 / Virus Database: 270.7.5/1698 - Release Date: 9/29/2008 7:25 PM
=================================== Scott Rose NIST [EMAIL PROTECTED] ph: +1 301-975-8439 http://www-x.antd.nist.gov/dnssec http://www.dnsops.gov/ =================================== _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop