On 1 Nov 2018, at 15:14, Wes Hardaker <[email protected]> wrote: > Russ Housley <[email protected]> writes: > >> It is a good time to do rfc5011-bis. Real world experience from the >> KSK roll makes a lot os sense to me. > > I think step one would be to list the aspects of it that worked well, > and the aspects that didn't. From that we can determine the need for a > replacement and what features would be needed in order to accommodate the > aspects that didn't work well. I do believe it worked quite well over > all, but there are elements that were lacking and may be worth doing a > bis to address. [but we really need a upsides-and-downsides list based > on experience first in order to evaluate the need to do a bis].
I'm not sure that "5011bis" is a helpful way to phrase this. 5011 solves the area it is concerned with (conventionally long-lived devices that don't ship on the shelf for long periods) very nicely, as far as I can see. There have been some variable implementations that might suggest the need for improved clarity in the specification or better test suites or something, but I don't think our recent experience has provided clear signs that 5011 as a protocol is deficient or unsuitable. I think the wider problem space might be better described as trust anchor publication and retrieval. Within that perimeter we can find scope for improvement in areas like emergency key rollover, pre-publication of trust anchors for standby keys, retrieval of trust anchor (bootstrapping) by ephemeral or unattended devices, etc, etc. The area that 5011 addresses is kind of the best part. Joe _______________________________________________ DNSOP mailing list [email protected] https://www.ietf.org/mailman/listinfo/dnsop
