[Opendnssec-develop] Erroneous jitter semantics
Jakob Schlyter
jakob at kirei.se
Thu Mar 11 09:09:37 UTC 2010
On 11 mar 2010, at 09.49, Rickard Bellgrim wrote:
> What I mean is that currently we do this:
>
> Inception = now - offset
> Expiration = now + validity period + jitter
> Total validity = offset + validity period + jitter
correct.
> You are suggesting:
>
> Inception = now - offset
> Expiration = now + validity period - jitter
> Total validity = offset + validity period - jitter
right, and this gives:
min(total validity) = offset + validity period - max(jitter)
max(total validity) = offset + validity period
so signatures will effectivly expire between
now + validity - max(jitter)
and
now + validity
> But if we want to truly use the validity period as the maximum, then do this:
>
> Inception = now - offset
> Expiration = now + validity period - jitter - offset
> Total validity = validity period - jitter
the offset is a safe guard against time error, so I would not include that in the the calculation of the signature expiration.
jakob
More information about the Opendnssec-develop
mailing list