[ksk-change] Keeping two KSK keys long term

David Conrad david.conrad at icann.org
Wed Oct 1 23:44:31 UTC 2014


On Oct 1, 2014, at 4:39 PM, Michael StJohns <msj at nthpermutation.com> wrote:
> On 10/1/2014 7:26 PM, David Conrad wrote:
>> Gaining unauthorized access to that HSM would be “bad”,
> This is one of those misperceptions that's important to correct quickly.

Fair enough. Poor wording. Apologies.

> Gaining access to an HSM, along with its ignition keys would be bad. 

Yes.  I’d assumed this was understood.
>> so we’re probably not talking about storing the HSM under somebody’s bed.
> Actually, why not?  

Because it increases the risk of being able to gain full access since you only need to get the other half (the “unlocking credentials”).


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mm.icann.org/pipermail/ksk-rollover/attachments/20141001/b18d13f1/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 496 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://mm.icann.org/pipermail/ksk-rollover/attachments/20141001/b18d13f1/signature.asc>

More information about the ksk-rollover mailing list