[ksk-change] planned vs. emergency (was Re: [ksk-rollover] root zone KSK ...)

David Conrad david.conrad at icann.org
Sun Sep 21 22:16:44 UTC 2014 

Mike,

On Sep 21, 2014, at 2:12 PM, Michael StJohns <msj at nthpermutation.com> wrote:
> What I think you're saying above is basically, "I don't want a system that can deal with the most likely single compromise scenarios, but that I want to do a full scale trust reboot every so often and require 100 of 1000s (millions?) of manual updates of trust anchors.”

What I want or don’t want is, of course, irrelevant.  

It might be interesting to explore assumptions.  For example, what do you believe is “the most likely single compromise scenario”?  And, what do you think the penetration of 5011 will be in validating resolvers now and in (say) 5 years?

I am assuming:

a. for all intents and purposes, the likelihood of _any_ compromise/loss of the root key is statistically equivalent.
b. regardless of (a), we _must_ be capable of dealing with a statistically unlikely event occurring.
c. touching the root key for any reason increases the probability of catastrophic failure/compromise by an infinitesimal but non-zero amount.
d. changing the root key of the DNS is and will continue to be an infrequent event (both because of (c) but more likely the PITA-ness of changing the key).

In addition, I’m assuming:

e. few large scale organizations will be comfortable with a signal being sent from somewhere out of their control that results in permanent changes to critical configuration information. 
f. it is hard to implement 5011 correctly.
g. people will continue to ship crap code.
h. as a result of a combination of (e), (f), and (g), some people won’t be able to enable 5011 support even if it does exist.

And of course (not really an assumption, but),

i. 5011 cannot help in the event of a catastrophic key compromise.

The above assumptions leave me questioning the benefit of assuming any roll can or should be treated as “planned”.

> 5011 is for the normal update and supercession of keys short of a complete trust reboot.  

I guess this is where I get stuck: I don’t see how we will ever (or even should) get to a point where we see superseding the root key as a ‘normal’ thing.  If we assume people are dependent upon DNSSEC, I see mucking about with the root key as equivalent to juggling with an armed H-bomb: it isn’t something you want to normalize.
 
Regards,
-drc

P.S. An honest question: how often do root X.509 CAs roll their root keys?

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 496 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://mm.icann.org/pipermail/ksk-rollover/attachments/20140921/b1789a58/signature.asc>

More information about the ksk-rollover mailing list