aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--docs/repository-structure.txt14
1 files changed, 12 insertions, 2 deletions
diff --git a/docs/repository-structure.txt b/docs/repository-structure.txt
index 9f0a562b..6b0d6a26 100644
--- a/docs/repository-structure.txt
+++ b/docs/repository-structure.txt
@@ -83,5 +83,15 @@ For those unfamiliar with the notation (borrowed from Lisp): g0001 etc
are just "gensym" symbols, ie, the output of some function whose sole
purpose is to generate meaningless symbols.
-See repository-structure.pdf (source in repository-structure.dot) for
-an illustration of the problem and solution.
+See images/repository-structure.pdf for an illustration of the problem
+and solution.
+
+There may be compromise-driven rollover cases in which we will need to
+reissue all of the children of a node whose key has been compromised.
+Whether or not this is necessary depends on whether the master copy of
+the authoritative data is safe somewhere else; if it is, and the
+resource certificates are just a signed representation of an
+authoritative database that has not been compromised, reissuing all of
+the descendants may not be necessary, but if the resource certificates
+-are- the database, and one level in it has been compromised, it's
+probably advisable to reissue all the descendants.