ICANN ICANN Email List Archives


<<< Chronological Index >>>    <<< Thread Index >>>

Trust anchor retrieval over HTTP after rollover

  • To: comments-root-zone-consultation-08mar13@xxxxxxxxx
  • Subject: Trust anchor retrieval over HTTP after rollover
  • From: Matthäus Wander <matthaeus.wander@xxxxxxxxxx>
  • Date: Sat, 13 Apr 2013 02:34:42 +0200

When planning for a rollover, please consider future validators for
which RFC5011 does not fully apply, e.g.
- home routers lying in the store shelf powered off
- personal computers (-> DANE) being offline for a couple of weeks

The following should be clarified regarding the trust anchor publication
at http://data.iana.org/root-anchors/:
- Is it meant as fallback when RFC5011 does not apply or can the HTTP
mechanisms be used as regular update channel?
- How often should one refresh the trust anchor (when RFC5011 does not
- What is the best practice to resolve data.iana.org without the current
trust anchor?
- Is there a 'best before' date on the S/MIME and PGP bootstrapping
keys? How long can we expect the bootstrapping mechanisms to work before
manual intervention or a software update by vendor becomes necessary?
- Are there plans for revocation and rollover of the bootstrapping keys?
(not asking to reinvent RFC5011, just mention it somewhere)

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

<<< Chronological Index >>>    <<< Thread Index >>>

Privacy Policy | Terms of Service | Cookies Policy