[ksk-change] Keeping two KSK keys long term

Bolivar, Al abolivar at verisign.com
Thu Oct 2 17:13:56 UTC 2014


In the scenario you are talking about the adversary would gain access to
both HSMs at one of the facilities right? Then you could still use the
other two HSMs you have at the other facility, provided they didn¹t get
access to the smart cards (credentials) as well. You could then import the
KSK into new HSMs via the APP cards.



On 10/1/14, 9:22 PM, "Tomofumi Okubo" <tomofumi.okubo at gmail.com> wrote:

>Hello Mike,
>On Wed, Oct 1, 2014 at 4:39 PM, Michael StJohns <msj at nthpermutation.com>
>> On 10/1/2014 7:26 PM, David Conrad wrote:
>> Gaining access to an HSM, along with its ignition keys would be bad.
>> Gaining access to the HSM by itself shouldn't be.  The whole purpose of
>> HSM is to make generic access to the HSM non-bad.  E.g. the key's locked
>> inside and without the use credential you ain't going to get it to do
>> anything.  Attempts to extract a key will fail and ideally cause the
>>HSM to
>> zeroize.
>I do agree that in general, gaining access to the HSM is not
>equivalent to gaining access to the key materials on the HSM if its
>without the credentials although, if the adversary's objective is to
>sabotage the operation, they can simply destroy the HSM (and key that
>resides on it) so I still believe that unauthorized access to the HSM
>is pretty bad (from a key management standpoint).
>ksk-rollover mailing list
>ksk-rollover at icann.org

More information about the ksk-rollover mailing list