[Opendnssec-develop] kasp draft

Matthijs Mekking matthijs at nlnetlabs.nl
Mon Jul 28 11:59:55 UTC 2014

On 07/28/2014 12:30 PM, Siôn Lloyd wrote:
> On 28/07/14 10:10, Matthijs Mekking wrote:
>> On 07/15/2014 10:52 AM, Siôn Lloyd wrote:
>>> Jitter - I'm not sure that there is a need to define the jitter
>>> algorithm... I can have jitter that only increases signature lifetimes
>>> (i.e. r * j) and it is still just as valid. The algorithm could be given
>>> as an example.
>> I think we do want to define the algorithm: So that if the policy is
>> used in a different implementation, you can expect the same behavior.
> I don't agree... If I have an existing implementation that uses a
> different, but equally valid, algorithm then I can not describe my
> system using this document. That would seem to be an unnecessary
> restriction.
> The more generic solution would be to define jitter as the maximum a
> signature can vary from the defined lifetime - what distribution that
> variation takes is implementation specific.

It depends on why the policy includes a jitter. Is it to control the
range or is it there to control the signature distribution? If the
former, then we can define the jitter to be the varied range. If the
latter, I think the algorithm must be defined.

Best regards,

> Sion
> _______________________________________________
> Opendnssec-develop mailing list
> Opendnssec-develop at lists.opendnssec.org
> https://lists.opendnssec.org/mailman/listinfo/opendnssec-develop

More information about the Opendnssec-develop mailing list