On 5 Feb 2010, at 15:39, Ralf Weber wrote:
Well the original reason was Anands mail that Fedora delivered an old ripe key. This would not be the case with a key life time of say two years.
It would always be a problem if Fedora shipped something with the old keys, no matter what their lifetime was. Stale keys are still stale keys. This sort of problem is always a nuisance on for an OS that depends on informal, volunteer efforts. If the guys working on some tool/project drag their feet or give up, stale code and obsolete configuration data can end up in the distros and repositories. In any case, these alternate trust anchors should hopefully be dead and buried soon. Assuming we have a signed root this summer.... So, given that we should have a signed root Real Soon Now (=> alternate trust anchor schemes fade into oblivion), what impact does that have on the NCC's KSK rollover policy? Will the current schedule be too aggressive or unreasonable when this happens? [And .arpa gets signed of course...] Why? I'd welcome some discussion about this.