[ksk-change] Keeping two KSK keys long term

Jakob Schlyter jakob at kirei.se
Thu Oct 2 08:26:11 UTC 2014

If the chain of custody of this emergency spare HSM was broken - e.g., the HSM was stolen or compromised in a different way - ICANN would be very bad position.

As security engineers, we believe/know/hope that the HSM is supposed to be unusable without activation keys and we have 3rd parties (like NIST) that certifies this. However, this is not enough in the eyes of the community, and this why we have the key management facilities. If everyone actually trusted the HSMs fully, we would not need all that and HSM could sit on a shelf at the IANA offices.


More information about the ksk-rollover mailing list