[ksk-change] Keeping two KSK keys long term

Tomofumi Okubo tomofumi.okubo at gmail.com
Wed Oct 1 22:48:03 UTC 2014


On Wed, Oct 1, 2014 at 3:09 PM, Paul Hoffman <paul.hoffman at vpnc.org> wrote:
> On Oct 1, 2014, at 2:15 PM, Jakob Schlyter <jakob at kirei.se> wrote:
> With all due respect, I'd like to see those numbers. The cost is approximately "have an extra HSM stored somewhere where the other HSMs are not". I'm not sure how expensive that can be relative to "fly a bunch of folks around twice a year for the ceremonies", much less relative to "if we needed it, we could show people we had planned for it".

It will roughly cost around 500k to set up one key ceremony room but
it's more about the overhead to manage the facilities.

Even if we don't store the HSMs for the backup keys at a different
location, I think introducing a different brand of HSM for the backup
key would have it's own benefits. We can prevent vendor lock-in and a
single HSM brand failing (critical flaw in hardware etc...) and
needing to do a full trust reboot. Not to mention, this will cost a
lot of money (around 150k) too.


More information about the ksk-rollover mailing list