[ksk-change] Keeping two KSK keys long term
Tomofumi Okubo
tomofumi.okubo at gmail.com
Thu Oct 2 21:13:57 UTC 2014
Hello Paul,
> On Thu, Oct 2, 2014 at 12:11 PM, Paul Hoffman <paul.hoffman at vpnc.org> wrote:
>
> 1) Is there an advantage to having two long-term KSKs in the same facilities that we have now?
Yes. I mentioned this before but the backup key could reside on different HSMs. This will prevent vendor lock-in and reduce the risk of all HSMs going bad at once for some reason (critical flaw etc...).
> 2) Is there sufficient funding to having an additional facility (or two) for the additional KSK?
I'm not sure about this one...
Just FYI, to build a facility from scratch, it will take at least 6 - 8 months. To update the policies and procedures in a manner that it won't affect the third party audit, it will take at least another 6 months including the inspection by the auditors.
Cheers!
Tomofumi
More information about the ksk-rollover
mailing list