On 2010-10-03, at 07:59, Tony Finch wrote: > On 3 Oct 2010, at 08:27, Jakob Schlyter <[email protected]> wrote: >> On 1 okt 2010, at 20.59, Tony Finch wrote: >>> >>> Right, so it's aimed at human consumption rather than automatic tools? >> >> Given the historical information (together with old DNSKEY), you could build >> a trust anchor history zone. > > Not really, since you need the private key of the old TA to sign the public > key of the new one to get a cryptographic proof of the history. Without that > it is just a third party attestation, which is rather weaker.
As has been expressed many times, old keys are not trustworthy and hence their signatures have no value. Joe _______________________________________________ DNSOP mailing list [email protected] https://www.ietf.org/mailman/listinfo/dnsop
