mcr> I think that there is very little incremental cost to including a mcr> multitude of keys in a software release. i.e. rather than 1 or 3 mcr> for the next 3-4 years, I'd like to around a dozen. With a variety mcr> of algorithms, keysizes, and with the private keys escrowed in a mcr> variety of ways. Paul Wouters <paul@nohats.ca> wrote: > That makes monitoring and transparency recoding of private key usage > much harder. It also raises the possibly abuse of any DNSSEC key to the > weakest key escrow method, and will surely raise lots of red flags with > people who already don't trust this system. yeah, so the idea is not that it be a free-for-all, but that we might have many more keys maintained by perhaps just one additional entity. -- Michael Richardson <mcr+IETF@sandelman.ca>, Sandelman Software Works -= IPv6 IoT consulting =-