> On Aug 7, 2015, at 11:35 AM, Randy Bush <[email protected]> wrote: > >> This change would require certificates to be re-issued (or possibly >> keys to be rolled) all the way down from Trust Anchors. When the >> parent CA re-issues a certificate for the child CA with a new style >> SKI, then the child will have to re-issue its products with a new AKI. >> >> This is not impossible, but not trivial either. Especially if a >> delegated model is used. > > have we done a dnssec-v1? we should be able to change hashes without a > flag day. if not, we need to think.
actually, thinking about this a bit longer now.. If both SHA-1 and SHA-256 are allowed (at least for a while) this can be initiated by any CA that wants to make the change. Important bits are: - RFC6492 uses SKIs for revoke requests - The AKI of products issued by a CA should match their SKI I guess that the easiest way to make this work is a key roll. Create a new key, request a certificate for it with the new SKI, re-issue the products with the new key, and finally revoke the old key (using the old style SKI). It's still work, but not as bad as I previously painted. _______________________________________________ sidr mailing list [email protected] https://www.ietf.org/mailman/listinfo/sidr
