<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<meta name="Generator" content="Microsoft Exchange Server">
<!-- converted from rtf -->
<style><!-- .EmailQuote { margin-left: 1pt; padding-left: 4pt; border-left: #800000 2px solid; } --></style>
</head>
<body>
<font face="Arial" size="2">
<div>-----BEGIN PGP SIGNED MESSAGE-----</div>
<div>Hash: SHA256</div>
<div> </div>
<div>> Stephen and I have come up with this plan for KSK rollover. We can add</div>
<div>> alternate schemes post version 1...</div>
<div>> </div>
<div>> </div>
<div>> Replacement key is pre-published as before.</div>
<div>> </div>
<div>> When we see that a key is about to retire, provided that there is one</div>
<div>> key</div>
<div>> in the ready state issue the "submit DS" message.</div>
<div>> </div>
<div>> Keep issuing this message until the "DS seen" command is issued.</div>
<div>> </div>
<div>> At this time move the ready key to active, the active key to retired</div>
<div>> and</div>
<div>> schedule the dead time of the retired key.</div>
<div>> </div>
<div>> </div>
<div>> Rollover if standby key is ready just sets estimated retire time to</div>
<div>> now,</div>
<div>> rollover if standby key is not ready sets estimated retire time to now,</div>
<div>> but</div>
<div>> nothing happens until the ready time of new key... just as it does now.</div>
<div> </div>
<div>Algorithm looks ok.</div>
<div> </div>
<div>> DS seen command will look like:</div>
<div>> </div>
<div>> ods-ksmutil key ds-seen --keytag <keytag></div>
<div>> </div>
<div>> (if keys are shared then we will ask if it has been seen in parents of</div>
<div>> all</div>
<div>> zones that use the key [y/N] )</div>
<div>> </div>
<div>> Then, provided that the keytag supplied matches a KSK in the ready</div>
<div>> state</div>
<div>> then the process can continue.</div>
<div>> </div>
<div>> </div>
<div>> I'm going to go ahead and start writing this in so can you give any</div>
<div>> feedback ASAP please?</div>
<div> </div>
<div>Do you need to use the keytag? Won't the system know which keys we are talking about when using either --zone or --policy?</div>
<div> </div>
<div>If we must use the keytag, can we handle keytag collisions?</div>
<div> </div>
<div>// Rickard</div>
<div> </div>
<div>-----BEGIN PGP SIGNATURE-----</div>
<div>Version: 9.8.3 (Build 4028)</div>
<div>Charset: utf-8</div>
<div> </div>
<div>wsBVAwUBSvflvOCjgaNTdVjaAQjzzAf/X7vZHXxfwj8r4x084VCFvcr2755gjeH7</div>
<div>YwNni2sHAm7xqKIdUZPA5dTq8I387w3JC+phy5ltEx5Nf/fgXxTiCbS83Jq9TrQp</div>
<div>Z+vIPH+1Z1BxKI41vl0Ah4EM7Ayl6hn2jc9nbazWw3eAqaEEYQPNLiArXQOK92Ti</div>
<div>8nFSNIM00Jh2N4GgdGRkOETauCVXHN5xvvjTqqJPrJt62rfR/sbrTWpXVTk9qWF7</div>
<div>khGBi392osfeRDMrCTU6QnP20J3fvnebW2Wp6QcVhwt4u3W8PIKm8RIooKsH/b0g</div>
<div>sfagMLbAZqF/gDmUVmwa73MtLin71Xv0IkuUCxnO0I1rQje2r9YPSw==</div>
<div>=rZkv</div>
<div>-----END PGP SIGNATURE-----</div>
<div> </div>
<div> </div>
</font>
</body>
</html>