[ksk-change] planned vs. emergency (was Re: [ksk-rollover] root zone KSK ...)

[Paul Hoffman]

On Sep 21, 2014, at 12:33 PM, Michael StJohns <msj at nthpermutation.com> wrote:

> On 9/21/2014 3:17 PM, Paul Hoffman wrote:
>> On Sep 21, 2014, at 8:41 AM, Joe Abley <jabley at hopcount.ca> wrote:
>> 
>>> One way that an emergency roll is different from a planned roll is that a planned roll can make use of existing non-compromised KSKs and their corresponding trust anchors, whereas an emergency roll (where the emergency is a consequence of a key compromise) might not have that luxury.
>> Just a placeholder here, but one that some people care about:
>> 
>> A planned rollover could turn into an emergency rollover during the ceremony if it is discovered that the signing hardware for the current key (or all the current keys, if there are more than one) cannot be used.
> 
> I had to read this a few times to get what I think you meant. Specifically, if a) a signature is expiring over one of the groups of keys in the trust chain, and b) the hardware breaks so that the signature will expire before you can do the resigning, then c) it's an emergency.

It could also happen if this group decides to have a KSK rollover to test the system, even though the signature is not expiring. So, what you said, plus:

Specifically, if a) ICANN has decide to expire one of the groups of keys in the trust chain as an operational exercise, and b) the hardware breaks so that the signing cannot be done during the exercise, then c) it's an emergency.

> I'm stating it that way because keys don't actually have a defined EOL, so whether we're in an emergency situation or not is tied to signature expiration rather than the time you're trying to do the re-sign.  In the above scenario you have the time between your attempt and the signature expiration to recover the keys and complete the signature.  It's an internally triggered event that if completed successfully, has no external implications.

It will clearly have publicity (and thus policy) implications if there is a non-emergency ceremony happening for the KSK that has a giant "whoopsie" in the middle.

> If you're unable to resign the root DNSKEY RRSet in time with one of the keys in the root trust anchor set, then its not actually an emergency rollover (keys aren't compromised, no one else can use them for faking data in the zone), but a failure of process.  The question is then how do you recover/reboot your trust anchor set so you can reestablish a chain of trust.
> 
> I think they're two very different things to consider.

Fully agree, but I would call both of them emergencies. It sounds like you are defining "emergency" as a key compromise; others (including me) are defining it as that plus other bad things (like inability to sign with an uncompromised key).

To be clearer, maybe we have two (gad, I hope only two) terms: "compromise emergency" and "operational emergency". In a compromise emergency, you can sign but you really don't want to; in an operational emergency, you cannot sign but you really wanted to be able to.

--Paul Hoffman