Note per Russ on compromise-driven rollover case.

svn path=/docs/repository-structure.txt; revision=569
author: Rob Austein <sra@hactrn.net> 2007-04-04 20:01:24 +0000
committer: Rob Austein <sra@hactrn.net> 2007-04-04 20:01:24 +0000
commit: ece6c7171ca5dca62a4ae71666b8e15b2dea8799 (patch)
tree: 621f76f996005b9b9831e77e488a1c1969ec68d2 /docs/repository-structure.txt
parent: 9be7dbebfe3614e6dc02f7ea0a13e98fc80fb0f3 (diff)
1 files changed, 12 insertions, 2 deletions
diff --git a/docs/repository-structure.txt b/docs/repository-structure.txt
index 9f0a562b..6b0d6a26 100644
--- a/docs/repository-structure.txt
+++ b/docs/repository-structure.txt
@@ -83,5 +83,15 @@ For those unfamiliar with the notation (borrowed from Lisp): g0001 etc
 are just "gensym" symbols, ie, the output of some function whose sole
 purpose is to generate meaningless symbols.
 
-See repository-structure.pdf (source in repository-structure.dot) for
-an illustration of the problem and solution.
+See images/repository-structure.pdf for an illustration of the problem
+and solution.
+
+There may be compromise-driven rollover cases in which we will need to
+reissue all of the children of a node whose key has been compromised.
+Whether or not this is necessary depends on whether the master copy of
+the authoritative data is safe somewhere else; if it is, and the
+resource certificates are just a signed representation of an
+authoritative database that has not been compromised, reissuing all of
+the descendants may not be necessary, but if the resource certificates
+-are- the database, and one level in it has been compromised, it's
+probably advisable to reissue all the descendants.
author	Rob Austein <sra@hactrn.net>	2007-04-04 20:01:24 +0000
committer	Rob Austein <sra@hactrn.net>	2007-04-04 20:01:24 +0000
commit	ece6c7171ca5dca62a4ae71666b8e15b2dea8799 (patch)
tree	621f76f996005b9b9831e77e488a1c1969ec68d2 /docs/repository-structure.txt
parent	9be7dbebfe3614e6dc02f7ea0a13e98fc80fb0f3 (diff)