[ksk-change] Keeping two KSK keys long term

David Conrad david.conrad at icann.org
Wed Oct 1 23:26:10 UTC 2014


On Oct 1, 2014, at 4:03 PM, Paul Hoffman <paul.hoffman at vpnc.org> wrote:
> On Oct 1, 2014, at 3:48 PM, Tomofumi Okubo <tomofumi.okubo at gmail.com> wrote:
>> It will roughly cost around 500k to set up one key ceremony room but
>> it's more about the overhead to manage the facilities.
> I propose that this additional key need a new key ceremony room;

I presume you meant to write “didn’t propose”

> in fact, that idea hadn't even occurred to me. Create the key in one of the current rooms, then drive the HSM to some other location and plant it there. 

It might be useful to describe the requirements for the “other location”.  Gaining unauthorized access to that HSM would be “bad”, so we’re probably not talking about storing the HSM under somebody’s bed. It might not need the full controls used in the KSF, but presumably there would need to be non-trivial controls (as well as controls related to transfer).

> Again, I'm only proposing this because my reading of 5011 makes it seem like having a second active KSK would be better if one of the KSKs is accidentally or purposely made unusable. Mike seems to agree with this; do others disagree?

Having more than one key would be good.  Having more than one vendor of HSM would be good.  If we’re looking at using the initial key roll as a way of making changes to the way the root key(s) is(are) managed, it might be useful to enumerate the good things and bad things.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 496 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://mm.icann.org/pipermail/ksk-rollover/attachments/20141001/417d6714/signature-0001.asc>

More information about the ksk-rollover mailing list