On Fri, 2006-05-26 at 19:57 +0200, Florian Weimer wrote: > > But that is not relevant to the problem. Experience shows that keys do > > get compromised and need changing. So rotation or no rotation the key > > change has to be handled anyway. Rotation just adds it at specific > > intervals on top of random events. > > Could you point me to a deployment which relies on key rotation to > deal with key compromises? 8-)
DNSSEC You have KSK (Key Signing Key) which is strong and you sign set of lesser keys which you then rotate regulary. This mechanism was established because it's problematic to rotate key in parent zone and keep CPU usage when signing big zones to reasonable levels. Ondrej. -- Ondrej Sury <[EMAIL PROTECTED]>
signature.asc
Description: This is a digitally signed message part
