[ksk-change] Keeping two KSK keys long term
Michael StJohns
msj at nthpermutation.com
Thu Oct 2 15:16:42 UTC 2014
On 10/1/2014 7:44 PM, David Conrad wrote:
> Mike,
>
> On Oct 1, 2014, at 4:39 PM, Michael StJohns <msj at nthpermutation.com
> <mailto:msj at nthpermutation.com>> wrote:
>> On 10/1/2014 7:26 PM, David Conrad wrote:
>>> Gaining unauthorized access to that HSM would be “bad”,
>> This is one of those misperceptions that's important to correct quickly.
>
> Fair enough. Poor wording. Apologies.
>
>> Gaining access to an HSM, _*along with its ignition keys*_ would be bad.
>
> Yes. I’d assumed this was understood.
>>> so we’re probably not talking about storing the HSM under somebody’s bed.
>> Actually, why not?
>
> Because it increases the risk of being able to gain full access since
> you only need to get the other half (the “unlocking credentials”).
AIRC the unlocking credentials for the HSM require something more than
just a single smart card? You'd need to grab the HSM, plus enough of
the unlocking credentials to enable the device.
It's mostly just a numbers game. I'm going to follow up on Richard's
note with a more comprehensive discussion.
>
> Regards,
> -drc
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mm.icann.org/pipermail/ksk-rollover/attachments/20141002/1926a524/attachment.html>
More information about the ksk-rollover
mailing list