[ksk-change] planned vs. emergency (was Re: [ksk-rollover] root zone KSK ...)

S Moonesamy sm+icann at elandsys.com
Mon Sep 22 15:50:47 UTC 2014

Hi David,
At 07:29 22-09-2014, David Conrad wrote:
>If the risk is physical access, then the 
>implication of a planned rollover is that that 
>physical access occurs (much) more frequently 
>than if the physical access is limited to the 
>times when emergency rollover is needed.  As 
>such, it actually increases the likelihood of it 
>happening. What a planned rollover does do is 
>provide more experience in the hopes that we can recover more easily.
>Of course, if the private key is lost or 
>compromised, you can’t use 5011 for a rollover.

Based on publicly available information there is 
physical access every six months per KMF.  I 
suggested to IKOS to have any planned key 
roll-over within that event.  That is to avoid 
any additional physical access [1].

>Repeating part of a previous message:
>"(a) there is no operational reason that forces 
>the key to change, (b) there is a risk — no 
>matter how slight — that we might screw up, (c) 
>it is expensive and time consuming to drag the 
>necessary people into the secure facilities to 
>spend the 2+ hours necessary to do the key 
>handling appropriately, and (d), it is likely 
>that rolling the key _will_ break things, the 
>only question is how much and who will be affected."

Nobody will want to authorize an emergency 
roll-over as (a) and (b) will weigh heavily against doing that.

I am personally aware of (c).  I have never 
viewed the time as an issue; I am there to 
perform a task and I would like to see it done correctly.

I agree that it is likely that rolling a key (d) 
will break things.  The discussions (not on this 
mailing list) about that have been about how much 
will break and who will be affected.

S. Moonesamy

1. http://data.iana.org/ksk-ceremony/18/KSK18-CAM1.mp4  

More information about the ksk-rollover mailing list