[ksk-change] Keeping two KSK keys long term

Tomofumi Okubo tomofumi.okubo at gmail.com
Thu Oct 2 01:22:57 UTC 2014

Hello Mike,

On Wed, Oct 1, 2014 at 4:39 PM, Michael StJohns <msj at nthpermutation.com> wrote:
> On 10/1/2014 7:26 PM, David Conrad wrote:
> Gaining access to an HSM, along with its ignition keys would be bad.
> Gaining access to the HSM by itself shouldn't be.  The whole purpose of an
> HSM is to make generic access to the HSM non-bad.  E.g. the key's locked
> inside and without the use credential you ain't going to get it to do
> anything.  Attempts to extract a key will fail and ideally cause the HSM to
> zeroize.

I do agree that in general, gaining access to the HSM is not
equivalent to gaining access to the key materials on the HSM if its
without the credentials although, if the adversary's objective is to
sabotage the operation, they can simply destroy the HSM (and key that
resides on it) so I still believe that unauthorized access to the HSM
is pretty bad (from a key management standpoint).


More information about the ksk-rollover mailing list