[dns-wg] KSK lifetimes
- Previous message (by thread): [dns-wg] KSK lifetimes
- Next message (by thread): [dns-wg] Re: KSK lifetimes
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Paul Wouters
paul at xelerance.com
Fri Feb 5 17:55:04 CET 2010
On Fri, 5 Feb 2010, Edward Lewis wrote: > The outcome of the thread was that, if left up to the cryptographic issues, > there would be no need to change keys until a key was detected as being > broken. This is because the effective lifetime of a key is not determined by > the key itself but rather by the determination of the attackers. The moral - > you only need to change the key in an emergency. I don't think that was the outcome at all. As I read it, the outcome was "cryptographers are even more conservative then DNS operators, because key strength is a function of math & money, but the IETF suggested lifetimes were very safe". > The realization that it isn't the cryptography limiting the usefulness of the > key to me is "new thinking." All along I thought that the limitation on the > effectivity of a key was the cryptography - but for "good enough keys" the > limitation is how comfortable I am going without changing it and how much > does it cost to change it. To that I agree. Paul
- Previous message (by thread): [dns-wg] KSK lifetimes
- Next message (by thread): [dns-wg] Re: KSK lifetimes
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
[ dns-wg Archives ]