[ksk-change] Keeping two KSK keys long term
Jakob Schlyter
jakob at kirei.se
Thu Oct 2 08:26:11 UTC 2014
If the chain of custody of this emergency spare HSM was broken - e.g., the HSM was stolen or compromised in a different way - ICANN would be very bad position.
As security engineers, we believe/know/hope that the HSM is supposed to be unusable without activation keys and we have 3rd parties (like NIST) that certifies this. However, this is not enough in the eyes of the community, and this why we have the key management facilities. If everyone actually trusted the HSMs fully, we would not need all that and HSM could sit on a shelf at the IANA offices.
jakob
More information about the ksk-rollover
mailing list