[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Key rotation deployments (Was: bits from the release team)



On Fri, 2006-05-26 at 19:57 +0200, Florian Weimer wrote:
> > But that is not relevant to the problem. Experience shows that keys do
> > get compromised and need changing. So rotation or no rotation the key
> > change has to be handled anyway. Rotation just adds it at specific
> > intervals on top of random events.
> 
> Could you point me to a deployment which relies on key rotation to
> deal with key compromises? 8-)

DNSSEC

You have KSK (Key Signing Key) which is strong and you sign set of
lesser keys which you then rotate regulary.  This mechanism was
established because it's problematic to rotate key in parent zone and
keep CPU usage when signing big zones to reasonable levels.

Ondrej.
-- 
Ondrej Sury <ondrej@sury.org>

Attachment: signature.asc
Description: This is a digitally signed message part


Reply to: