-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi,
Since the trust history draft was accepted at the stockholm IETF75 (is that right, chairs? There was some discussion of looking at which workgroup would fit better?) I want to present some changes to the draft after discussion with the workgroup participants for workgroup consensus: Text 1: In Security Considerations add: If the clock of the validator can be influenced, then setting it forward is unlikely to give advantage, but setting it backward enables a replay attack of old DNSSEC data and signatures. This vulnerability exists also in plain DNSSEC. And George Barwood to acknowledgements. Text 2: In section 6, for the paragraph discussing how trust history can be used on its own. Add text: In order to pick up regular roll-over of keys in the target zone, the validator MUST store an updated keyset it sees as part of normal operation on stable storage if the keyset verifies correctly. New SEP keys are only taken into use if the key is still in the keyset after the TALINK TTL time has passed since the first time it was seen. SEP keys not in the keyset are discarded. And Joe Abley to acknowledgements. Best regards, Wouter -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAkqXnM4ACgkQkDLqNwOhpPig/QCfSswEtPrSyH1zTIIQCHROKq5B 3UkAn1w0jiqua8IUCOV0XduP5M2OS3fq =7W7d -----END PGP SIGNATURE----- _______________________________________________ DNSOP mailing list [email protected] https://www.ietf.org/mailman/listinfo/dnsop
