| 1 |
On Sat, Feb 16, 2019 at 09:40:21AM +0100, Michał Górny wrote: |
| 2 |
> Therefore, I would like to propose creating two layers of Authority |
| 3 |
> Keys: L1 and L2. The L1 key would be protected strongly and used only |
| 4 |
> to sign L2 key. The L2 key would be used to sign actual keys. |
| 5 |
|
| 6 |
Good idea. DNSSEC uses a similar method with KSK (key signing keys) and |
| 7 |
ZSK (zone signing keys). |
| 8 |
|
| 9 |
> Your comments? Anything I've missed? |
| 10 |
|
| 11 |
Problems usually arise when doing key rollovers. Good automation and |
| 12 |
lots of testing would be prudent before going live. |
| 13 |
|
| 14 |
-- |
| 15 |
Eray |
Archives