[ksk-rollover] root zone KSK rollover operations workshop planning

Paul Hoffman paul.hoffman at vpnc.org
Fri Sep 19 15:26:39 UTC 2014

I think we disagree on some fundamental points in this discussion, but I could be wrong and don't want to put words in your mouth. Let me state what I think are the cryptographic aspects of the KSK rollover as defined in the Joe's message that started this thread.

- It is literally insane to attack a 2048-bit key that is protecting a 1024-bit key that is used for signing the same material (in this case, the root zone). Thus, there is no cryptographic reason to roll the 2048-bit KSK as long as the root is signed with 1024-bit ZSKs.

- Changing the signing algorithm (which I strongly support) is not a KSK rollover and thus out of scope for this discussion except insofar as if there is a planned algorithm change, that could affect the perceived need for the KSK rollover. If changing the signing algorithm *is* in scope for this discussion, the title of the discussion should change.

- Changing the signing policy to be one where the KSK and ZSK are both 2048 would have a huge effect on the decisions about KSK rollover because we then need to discuss the attack resistance of 2048-bit RSA keys and the value of breaking the root key signatures. If possibly changing that signing policy is in scope, that needs to be stated early.

--Paul Hoffman

More information about the ksk-rollover mailing list