On 07/24/2012 03:59 PM, Paul Wouters wrote:
> On Tue, 24 Jul 2012, Matthijs Mekking wrote:
>> But both descriptions may be valid at the same point in time. So
>> I would like to say the key can be Published and Active at the
>> same time.
>> 2. A key can have more than one state at a time.
> I would not be in favour or using "states" where there is no clear
> distinction between the key states. Looking at implementors of key
> management software using state machines, we really should help
> them by using solid state definitions that do not overlap.
The whole idea of the proposed suggestion is to make the distinction
in key states more clear.
The reason for the overlap to occur is that key *components* have a
state and these states use a solid definition. Published says
something about the DNSKEY record. Active says something about the
> So "Published" would need to include "not used for signing" so it
> can never overlap with "Active".
But there are (obvious) situations that a Published key is used for
signing, e.g. the key is Active. That doesn't matter, as long as the
states for one key component do not overlap.