[ksk-change] Keeping two KSK keys long term

[Paul Hoffman]

On Oct 2, 2014, at 10:29 AM, Joe Abley <jabley at hopcount.ca> wrote:

> The root zone KSK security design depends upon physical security of the facility, not significant separation between the HSMs and the credentials needed to use them. (The PINs associated with each smart card are also not secret; they all use the same PIN which is disclosed in ceremony scripts and in public video).
> 
> I'm not suggesting there's a flaw in the design here -- the decision to focus on physical security and associated controls and not to use secret PINs or credentials stored elsewhere was a measured, intentional one.

Thank you, this helps actually move this conversation forward. I was assuming that the root key protection design was based on the security properties of the HSM, not of the facility.

Unless we want to change the basis of the original design, the question of whether we should have two KSK keys long terms then comes down to either of:

1) Is there an advantage to having two long-term KSKs in the same facilities that we have now?

2) Is there sufficient funding to having an additional facility (or two) for the additional KSK?

--Paul Hoffman