On Wed, 15 Jun 2005 12:26:07 +0200 "Olaf M. Kolkman" <[EMAIL PROTECTED]> wrote:
> On Wed, 15 Jun 2005 10:55:42 +0100 > Ben Laurie <[EMAIL PROTECTED]> wrote: > > > > > > > One thing that hasn't been noted, as far as I can see, is that there's > > not much point having a key longer than your parent's key. > > > > Good catch... Thanks > I thought about this a little more but I am not sure what you said holds. You can have a longer key than your parent's zone if has made a different tradeoff between length and key-effectivity period than yourself. E.g. your parent uses a 1000 bits key for 2 months and you use a 2048bit key for 3 years. Besides it may be that your local policy dictates that you verify your own domains with locally configured trust anchors that may consist out of more bits than the weakest link validation chain. correct? -- Olaf ---------------------------------| Olaf M. Kolkman ---------------------------------| RIPE NCC ---------------------------------| JID: olaf at jabber.secret-wg.org . dnsop resources:_____________________________________________________ web user interface: http://darkwing.uoregon.edu/~llynch/dnsop.html mhonarc archive: http://darkwing.uoregon.edu/~llynch/dnsop/index.html
