[ksk-change] Keeping two KSK keys long term

Michael StJohns msj at nthpermutation.com
Wed Oct 1 23:39:18 UTC 2014

On 10/1/2014 7:26 PM, David Conrad wrote:
> Gaining unauthorized access to that HSM would be “bad”,

This is one of those misperceptions that's important to correct quickly.

Gaining access to an HSM, _*along with its ignition keys*_ would be 
bad.  Gaining access to the HSM by itself shouldn't be. The whole 
purpose of an HSM is to make generic access to the HSM non-bad.  E.g. 
the key's locked inside and without the use credential you ain't going 
to get it to do anything.  Attempts to extract a key will fail and 
ideally cause the HSM to zeroize.

> so we’re probably not talking about storing the HSM under somebody’s bed.
Actually, why not?   If its a good HSM, then its a piece of iron without 
the credentials to enable it.  The critical piece is to figure out how 
to prevent combination of the HSM with the unlocking credentials until 
policy says you should, and that's a different problem that keeping the 
HSM in a vault or under a bed.

E.g. steal my smart card (another HSM, albeit in a smaller form factor) 
and its of no use to you without the PIN.

Later, Mike

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mm.icann.org/pipermail/ksk-rollover/attachments/20141001/294f6cf3/attachment.html>

More information about the ksk-rollover mailing list