Trust anchor retrieval over HTTP after rollover
When planning for a rollover, please consider future validators for which RFC5011 does not fully apply, e.g. - home routers lying in the store shelf powered off - personal computers (-> DANE) being offline for a couple of weeks The following should be clarified regarding the trust anchor publication at http://data.iana.org/root-anchors/: - Is it meant as fallback when RFC5011 does not apply or can the HTTP mechanisms be used as regular update channel? - How often should one refresh the trust anchor (when RFC5011 does not apply)? - What is the best practice to resolve data.iana.org without the current trust anchor? - Is there a 'best before' date on the S/MIME and PGP bootstrapping keys? How long can we expect the bootstrapping mechanisms to work before manual intervention or a software update by vendor becomes necessary? - Are there plans for revocation and rollover of the bootstrapping keys? (not asking to reinvent RFC5011, just mention it somewhere) Attachment:
smime.p7s |