[dns-operations] .mm off the air for anyone who validates
paul at redbarn.org
Sat Jan 19 01:29:58 UTC 2013
Vernon Schryver wrote:
>>> I think this comes under "be liberal in what you accept."
>> No it doesn't.
> Indeed, "be liberal in what you accept" generally never has and should
> not apply to security. Who is liberal enough to accept passwords that
> are 90% right and public keys that were revoked only 10% of something
> ago? Should it be enough that 90% of a DNSSEC chain verifies? Expired
> keys are not the same as signatures that don't verify, but the principle
> is the same. Either the chain is valid, or all of the security proofs
> that depend on it are invalid.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the dns-operations