[ksk-change] [ksk-rollover] root zone KSK rollover operations workshop planning

[Joe Abley]

Hi Andy,

On 22 Sep 2014, at 6:53, Andy Linton <asjl at lpnz.org> wrote:

> My understanding of the specs of the HSMs used in the current key ceremonies is that they have a lifetime of around 5 years. Does this need to be factored into the planning for KSK rollover?
> 
> Other equipment used in the process may also fail.

Tomofumi will be able to speak to this better than I can, but my recollection is that the AEP Keypers have an expected battery lifetime of ten years, but in order to remain in warranty need to be reconditioned every five years.

As we know from ceremony 1, it's entirely possible to clone an individual HSM onto a new HSM that has arrived in a tamper-evident bag from the factory: we did this in order to replicate the crypto assets from Culpeper to El Segundo before the keys went into production.

So the existing HSMs could be replaced with brand new ones (there's an acceptance process already documented and exercised) and the old ones could be reased, tampered and securely destroyed, without any key materials leaving either facility, all within a ceremony.

There were thoughts in the past that the 5 year warranty period was nicely aligned with the expectation of rolling the key within 5 years of production use, and hence perhaps the hardware replacement and the key roll could happen concurrently. That'd be an optimisation of the two processes, though, and not a requirement.

Other hardware *has* failed since 2009; laptops have been replaced, for example.

I think it's reasonable to leave equipment failure/replacement as implementation details for the ICANN staff that run the ceremonies, and not to factor it in to our thinking on how to roll the KSK.


Joe