[Opendnssec-develop] separate validity for signatures over DNSKEY
Rickard Bellgrim
rickard.bellgrim at iis.se
Tue Mar 16 15:17:31 UTC 2010
On 15 mar 2010, at 22.38, Jakob Schlyter wrote:
> On 15 mar 2010, at 13.58, Matthijs Mekking wrote:
>
>> For the signer engine, it is not that hard to implement separate refresh for keys.
>>
>> If we are going to do this, I suggest this change in the kasp configuration:
>>
>> # the signatures are reused for a period of time
>> # how long time before the expiration of the signature
>> # should it be refreshed?
>> - element Refresh { xsd:duration },
>> + element Refresh {
>> + element Default { xsd:duration },
>> + element Keys { xsd:duration }?
>> + },
>>
>> Imo, it is cleaner than adding an element RefreshKeys. However, this is not compatible with the current kasp.rnc
>
> if we need this we should almost as above, but we can actually still be backwards compatible if we want to.
>
> jakob
>
I think that the suggestion from Matthijs is good from an user perspective. Since it is one group, just like the validity. But it is as you say not compatible with the previous KASP.
I think that usability wins over the compatibility.
// Rickard
More information about the Opendnssec-develop
mailing list