Name: draft-ihren-dnsext-threshold-validation-01
Title: Threshold Validation: A Mechanism for Improved Trust and Redundancy for DNSSEC Keys
State: Active
Authors: Johan Ihren
Group: Individual Submissions (none)
Date: 2004-07-22
This memo documents a proposal for a different method of validation for
DNSSEC aware resolvers. The key change is that by changing from a model of
one Key Signing Key, KSK, at a time to multiple KSKs it will be possible to
increase the aggregated trust in the signed keys by leveraging from the
trust associated with the different signees. By having multiple keys to
chose from validating resolvers get the opportunity to use local policy to
reflect actual trust in different keys. For instance, it is possible to
trust a single, particular key ultimately, while requiring multiple valid
signatures by less trusted keys for validation to succeed. Furthermore,
with multiple KSKs there are additional redundancy benefits available since
it is possible to roll over different KSKs at different times which may
make rollover scenarios easier to manage.
[sh-index] Back to list of manuals
|
| |
