About RIPE | Contact  | Search | Sitemap    
Homepage RIPE  
RIPE Community Mail Archives
search  
     
Next Sectionyou are here: RIPE -> RIPE Maillists > Archives
RIPE Navigation Ends
About RIPE Maillists
Maillists Archive
Global Lists
Non Active Lists
RIPE NCC Navigation Ends
Next Section
<<< Chronological >>> Author Index    Subject Index <<< Threads

[dns-wg] Re: [dnssec-deployment] [dns-wg] RE: [dnssec-deployment] Ny nyckelsigneringsnyckel (KSK) för .SE - New key signing key (KSK) for .SE

  • To: Wouter Wijngaards wouter@localhost
  • From: Holger Zuleger <Holger.Zuleger@localhost
  • Date: Mon, 07 Jan 2008 14:24:22 +0100
  • Cc: DNSSEC deployment dnssec-deployment@localhost, "richard.lamb" <richard.lamb@localhost, "'Patrik Wallstrom'" pawal@localhost, Anne-Marie.Eklund-Lowinder@localhost, dns-wg@localhost
As a developer I have a question about revoke bits.

In a DNSKEY RRset that revokes A and also has keys B and C. Does A sign
(A+B+C) or does the signature from A only sign A?
In theory, only the signing of A is required, but don't care about the additional signing of B+C. 
Signing more than simply A is nonsense, since the key is revoked.
And aids storing a presigned-self-revocation for emergency use.
However, that is not standard for RRset signatures.

Do signatures from B and C sign (A+B+C) or (B+C) ?

They have to sign (A+B+C)

BTW, be aware of key tag changing if you set the revoke bit.
 Holger

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

Post To The List:

Message References

<<< Chronological >>> Author    Subject <<< Threads
 

Next Section
     About RIPE | Site Map | LIR Portal | About the RIPE NCC | Contact | Copyright Statement
RIPE.NET Homepage LIR Portal RIPE Community