[ksk-change] planned vs. emergency (was Re: [ksk-rollover] root zone KSK ...)

Tomofumi Okubo tomofumi.okubo at gmail.com
Mon Sep 22 04:41:18 UTC 2014

Hello David,

On Sun, Sep 21, 2014 at 7:55 PM, David Conrad <david.conrad at icann.org> wrote:

>>> P.S. An honest question: how often do root X.509 CAs roll their root keys?
>> It's kind of irrelevant, but somewhere between 5 and 20 years.
> I’ve been told (informally) the X.509 root CAs do not roll their root keys, period. It might be useful to get an authoritative answer on that question.

What usually happens is they create a second generation Root CA cert
and put it in the cert store, then simply stop issuing under the old
Root CA and start issuing certs under the second generation Root CA.

It's a bit like the 5011 standby key mechanism in the sense that you
pre-publish a new trust anchor and then start using it when you
want/need to.

> If you’re one of those CAs and your root’s private key is compromised, the fact that you have 49 competitors is unlikely to be much of a consolation.  The point being that from the perspective of the CA, the loss of the key is an existential risk and your policies and processes are designed to deal with that risk. I see some parallels in the handling of the root key. It might be useful to understand how the CAs deal with that risk.

If the Root CA is compromised, I'd think the CA would go out of
business. Not because of the lack of mechanism to recover but from the
catastrophic reputation damage and profound loss of trust.

In addition, I bet the browsers will pull them out from the cert store
in a heartbeat if its really bad.

CAs deal with these risks by establishing and implementing rigorous
security controls around key management and undergo third party audits
to verify that the controls remain effective and are actually
followed. This is kind of funny but they also transfer this risk by
buying insurance but I'm not sure this helps. Certainly not applicable
to us.

I think the huge difference between the CA business and Root DNSSEC is
that there is no going out-of-business for Root DNSSEC. It doesn't
matter how ugly it gets, we have no option but to recover and keep on
providing the service at all costs.


More information about the ksk-rollover mailing list