[ksk-change] Keeping two KSK keys long term

Tomofumi Okubo tomofumi.okubo at gmail.com
Wed Oct 1 23:42:42 UTC 2014

Hi Paul,

I do like the idea of having a backup key but I'm still not convinced
that the backup key requires a separate key ceremony room.
The entire site getting physically compromised is not the only
scenario and I don't think it has the highest probability.

Instead, most likely, the issue would be a flaw in the HSM or a flaw
in the algorithm or an insufficient key strength. An alternate site is
not required to mitigate these risks. You just need a backup key with
different specs on different HSMs.

I believe these are more important before adding an alternate site.


On Wed, Oct 1, 2014 at 4:03 PM, Paul Hoffman <paul.hoffman at vpnc.org> wrote:
> On Oct 1, 2014, at 3:48 PM, Tomofumi Okubo <tomofumi.okubo at gmail.com> wrote:
>> It will roughly cost around 500k to set up one key ceremony room but
>> it's more about the overhead to manage the facilities.
> I propose that this additional key need a new key ceremony room; in fact, that idea hadn't even occurred to me. Create the key in one of the current rooms, then drive the HSM to some other location and plant it there. Rent a party bus for the participants so that they can watch the HSM the whole time. You can even have the HSM sign something at the new location to prove that it is the same key that was created at the first place.
> Again, I'm only proposing this because my reading of 5011 makes it seem like having a second active KSK would be better if one of the KSKs is accidentally or purposely made unusable. Mike seems to agree with this; do others disagree?
> --Paul Hoffman

More information about the ksk-rollover mailing list