[Opendnssec-develop] Key removal

[Matthijs Mekking]

John Dickinson wrote:
> It still does but since the Enforcer can not see the signed zone it will
> not "know" how the signer is doing the signing (i.e. replacing all RRSIG
> every time or just signing new stuff and expiring RRSIGS) and if there
> are any signatures remaining from an old key. 

I say if there are any signatures remaining from an old key, you have
(at least) two choices:
* Remove all signatures corresponding to the old key.
* Keep these signatures until its lifetime exceeded and they still
  validate.

However, the Signer Engine should not generate new signatures anymore.

Therefore it will have to
> calculate from the KASP signature parameters when it is safe to stop
> publishing the old key. Something along the lines of the key must
> continue to be published for at least signature lifetime + TTLsig +
> clockskew (this equation is not correct, needs work and is what got me
> thinking this in the first place). This equation depends largely on
> parameters related to signatures and so I wondered if that indicated
> that it might be in the signers realm of responsibility.

I prefer this to be optional. When KASP tells us not to use a key for
signing/publishing anymore, it should be safe to stop publishing the old
key immediately.

Matthijs

> However you all seem to be in agreement that the Enforcer should do it
> and I am happy with that.
> John
> ---
> John Dickinson
> http://www.jadickinson.co.uk
> 
> 
> 
> 
> _______________________________________________
> Opendnssec-develop mailing list
> Opendnssec-develop at lists.opendnssec.org
> https://lists.opendnssec.org/mailman/listinfo/opendnssec-develop


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 544 bytes
Desc: OpenPGP digital signature
URL: <http://lists.opendnssec.org/pipermail/opendnssec-develop/attachments/20090219/13e7bcdf/attachment.bin>