<html><head>
<meta content="text/html; charset=ISO-8859-1" http-equiv="Content-Type">
</head><body text="#000000" bgcolor="#FFFFFF">...<br>
<br>
Vernon Schryver wrote:
<blockquote cite="mid:201301182319.r0INJ2vw079571@calcite.rhyolite.com"
type="cite"><span style="font-family: monospace;">...</span>
<blockquote type="cite"><blockquote type="cite"><pre wrap="">I think this comes under "be liberal in what you accept."
</pre></blockquote><pre wrap="">No it doesn't.
</pre></blockquote>
<pre wrap=""><!---->
Indeed, "be liberal in what you accept" generally never has and should
not apply to security. Who is liberal enough to accept passwords that
are 90% right and public keys that were revoked only 10% of something
ago? Should it be enough that 90% of a DNSSEC chain verifies? Expired
keys are not the same as signatures that don't verify, but the principle
is the same. Either the chain is valid, or all of the security proofs
that depend on it are invalid.</pre>
</blockquote>
<br>
+1.<br>
</body></html>