[dns-operations] .mm off the air for anyone who validates
Paul Vixie
paul at redbarn.org
Sat Jan 19 01:29:58 UTC 2013
...
Vernon Schryver wrote:
> ...
>>> I think this comes under "be liberal in what you accept."
>> No it doesn't.
>
> Indeed, "be liberal in what you accept" generally never has and should
> not apply to security. Who is liberal enough to accept passwords that
> are 90% right and public keys that were revoked only 10% of something
> ago? Should it be enough that 90% of a DNSSEC chain verifies? Expired
> keys are not the same as signatures that don't verify, but the principle
> is the same. Either the chain is valid, or all of the security proofs
> that depend on it are invalid.
+1.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20130118/36378b2c/attachment.html>
More information about the dns-operations
mailing list