[ksk-change] Keeping two KSK keys long term

Richard Lamb richard.lamb at icann.org
Thu Oct 2 18:12:18 UTC 2014

FWIW: +1.  We did look high and low for additional level 4 vendors (I did
various evals in 2008) but at the time there was nothing other than AEP and
IBM and safenet main engineer said unlikely.  IBM PCI card tampered too
easily and stand alone was of interest.   So would love to see some HSM
diversity here. -Rick

-----Original Message-----
From: ksk-rollover-bounces at icann.org [mailto:ksk-rollover-bounces at icann.org]
On Behalf Of Bolivar, Al
Sent: Thursday, October 02, 2014 10:43 AM
To: Tomofumi Okubo; Paul Hoffman
Cc: ksk-rollover at icann.org
Subject: Re: [ksk-change] Keeping two KSK keys long term

I would like to add that I support the addition of another vendor.
Tomofumi and I spoke to another vendor about introducing a competing FIPS
140-2 level 4 HSM. In my opinion having other choices will be positive.



On 10/1/14, 6:48 PM, "Tomofumi Okubo" <tomofumi.okubo at gmail.com> wrote:

>On Wed, Oct 1, 2014 at 3:09 PM, Paul Hoffman <paul.hoffman at vpnc.org>
>> On Oct 1, 2014, at 2:15 PM, Jakob Schlyter <jakob at kirei.se> wrote:
>> With all due respect, I'd like to see those numbers. The cost is 
>>approximately "have an extra HSM stored somewhere where the other HSMs 
>>are not". I'm not sure how expensive that can be relative to "fly a 
>>bunch of folks around twice a year for the ceremonies", much less 
>>relative to "if we needed it, we could show people we had planned for 
>It will roughly cost around 500k to set up one key ceremony room but 
>it's more about the overhead to manage the facilities.
>Even if we don't store the HSMs for the backup keys at a different 
>location, I think introducing a different brand of HSM for the backup 
>key would have it's own benefits. We can prevent vendor lock-in and a 
>single HSM brand failing (critical flaw in hardware etc...) and needing 
>to do a full trust reboot. Not to mention, this will cost a lot of 
>money (around 150k) too.
>ksk-rollover mailing list
>ksk-rollover at icann.org

ksk-rollover mailing list
ksk-rollover at icann.org
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5456 bytes
Desc: not available
URL: <http://mm.icann.org/pipermail/ksk-rollover/attachments/20141002/6b4ec4cb/smime-0001.p7s>

More information about the ksk-rollover mailing list