[ksk-rollover] root zone KSK rollover operations workshop planning

[Michael StJohns]

On 9/19/2014 11:26 AM, Paul Hoffman wrote:
> I think we disagree on some fundamental points in this discussion, but I could be wrong and don't want to put words in your mouth. Let me state what I think are the cryptographic aspects of the KSK rollover as defined in the Joe's message that started this thread.
>
> - It is literally insane to attack a 2048-bit key that is protecting a 1024-bit key that is used for signing the same material (in this case, the root zone). Thus, there is no cryptographic reason to roll the 2048-bit KSK as long as the root is signed with 1024-bit ZSKs.
There is no reason *based on the cryptographic strength of the KSK* to 
roll the root irrespective of the strength of the ZSKs.

>
> - Changing the signing algorithm (which I strongly support) is not a KSK rollover and thus out of scope for this discussion
Disagree.

> except insofar as if there is a planned algorithm change, that could affect the perceived need for the KSK rollover. If changing the signing algorithm *is* in scope for this discussion, the title of the discussion should change.
>
> - Changing the signing policy to be one where the KSK and ZSK are both 2048 would have a huge effect on the decisions about KSK rollover because we then need to discuss the attack resistance of 2048-bit RSA keys and the value of breaking the root key signatures. If possibly changing that signing policy is in scope, that needs to be stated early.

Irrelevant.

>
> --Paul Hoffman