This doesn't seem a good fit for the PKI definition of a TA. You can have several TA. any are sufficient to define a trust point to anchor validation. you don't care which.
how the path is built, is not the same as where it terminates. top down or bottom up is legal in PKI. -G On Sun, Mar 25, 2018 at 8:21 PM, Paul Hoffman <[email protected]> wrote: > The current text is: > > "A configured DNSKEY RR or DS RR hash of a DNSKEY RR. A > validating security-aware resolver uses this public key or hash as > a starting point for building the authentication chain to a signed > DNS response." (Quoted from <xref target="RFC4033"/>, Section 2) > > The WG has has a preference for quoting from RFCs, but there was also some > hesitation about this. How would people change this, possibly updating RFC > 4033? > > --Paul Hoffman > > _______________________________________________ > DNSOP mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/dnsop _______________________________________________ DNSOP mailing list [email protected] https://www.ietf.org/mailman/listinfo/dnsop
