[ksk-rollover] root zone KSK rollover operations workshop planning
S Moonesamy
sm+icann at elandsys.com
Thu Sep 18 21:08:05 UTC 2014
Hi Mike,
Section 6.5 of the Root Zone DPS [1] states that a key rollover will
be scheduled on or after five years.
At 08:58 18-09-2014, Michael StJohns wrote:
>So a good place to start IMHO is NIST SP800-57 Part 1, Rev 3,
>Section 5.3.4 Cryptoperiods for Asymmetric Keys.
>
>Other places to look are:
>
> a) What is the expected EOL of the hardware currently used for root signing?
That would be at least five years.
> i) Is there a transition plan for transition to new hardware?
In my opinion that was to be covered by the key rollover.
>b) What affect on the overall security of the system does transition
>of personnel have? E.g. replacement of ICANN personnel involved
>with the KSK, replacement of community representatives? Are there
>exploitable attack surfaces?
I'll skip this one.
>e) Can any of the above be mitigated through a single KSK rollover?
>Through regularly scheduled KSK rollovers?
I am one of the Crypto Officers (West Coast).
The key rollover process has never been exercised. The logistics is
non-trivial. I raised the question of a KSK rollover previously with
ICANN as there isn't any operational experience for some parts of the DPS.
Regards,
S. Moonesamy
1. https://www.iana.org/dnssec/icann-dps.txt
More information about the ksk-rollover
mailing list