On Wed, 8 Jun 2005 19:41:33 +0000 [EMAIL PROTECTED] wrote: > > The other answer is that I have heard suggestions that the KSK ought > > to be longer lived - like 3 or so years. For the root, because of > > the pain of putting it into anchor positions, even longer. This is > > counter to "keep it regular so you get used to it" but it has appeal > > to non-operations people. > > having a single KSK pretty much argues for a flag day...
For the root, yes. For configurations that use such a key as a trust-anchor, yes. But for, what I think is going to be the most common situation, a domain that becomes part of secured tree by a parental DS record pointing to the KSK, that is not the case. > > I think it would be wise to recommend timing because there aren't a > > lot of clear statements on this important issue. But perhaps you > > need to recommend different time scales for different kinds of zone > > administrations. > > that a fairly old concept... closer to the edge/leaf > the more volatile and short the key elngth & signature. > as a general rule... I do not agree with Bill's recomendation. Key length and key effectivity go hand in hand. But Key length and signature life time are much less coupled. With a short key effectivity time you should not have long signature lifetimes but the reverse does not apply. With a long key effectivity (many bits in the key) you can still do fairly short signatures. Although there can be some coupling it is the volatility of the data determines the signature validity. On the issue of recomending times: In earlier versions of the draft we had timescales and we were asked by the working group to remove these. -- Olaf ---------------------------------| Olaf M. Kolkman ---------------------------------| RIPE NCC ---------------------------------| JID: olaf at jabber.secret-wg.org . dnsop resources:_____________________________________________________ web user interface: http://darkwing.uoregon.edu/~llynch/dnsop.html mhonarc archive: http://darkwing.uoregon.edu/~llynch/dnsop/index.html
