[dns-operations] .mm off the air for anyone who validates

Paul Vixie paul at redbarn.org
Sat Jan 19 01:29:58 UTC 2013


...

Vernon Schryver wrote:
> ...
>>> I think this comes under "be liberal in what you accept."
>> No it doesn't.
>
> Indeed, "be liberal in what you accept" generally never has and should
> not apply to security.  Who is liberal enough to accept passwords that
> are 90% right and public keys that were revoked only 10% of something
> ago?  Should it be enough that 90% of a DNSSEC chain verifies?  Expired
> keys are not the same as signatures that don't verify, but the principle
> is the same.  Either the chain is valid, or all of the security proofs
> that depend on it are invalid.

+1.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20130118/36378b2c/attachment.html>


More information about the dns-operations mailing list