[ksk-change] planned vs. emergency (was Re: [ksk-rollover] root zone KSK ...)

Tomofumi Okubo tomofumi.okubo at gmail.com
Mon Sep 22 18:40:24 UTC 2014

Hello Subramanian,

I like the idea of assessing the risks of doing the KSK rollover.

Do you think it will help to facilitate this discussion if we perform
a high-level risk assessment for the KSK rollover in this group so we
can form a rough consensus around what exactly the risks are and how
they should be treated?

Risks could actually be dealt in four ways; mitigate, accept, transfer
or avoid. Avoiding (not doing it) is one way but not the only way.

Also, I'd like to stress that we are not just talking about present
but the future. The day the algorithm (or key length) is going be
obsolete is coming no matter what. Sometimes, not taking precaution
could be seen as lack of due diligence. I believe if we don't take
action now, the issue is going to get bigger in the future.


On Mon, Sep 22, 2014 at 8:50 AM, S Moonesamy <sm+icann at elandsys.com> wrote:
> Hi David,
> At 07:29 22-09-2014, David Conrad wrote:
>> If the risk is physical access, then the implication of a planned rollover
>> is that that physical access occurs (much) more frequently than if the
>> physical access is limited to the times when emergency rollover is needed.
>> As such, it actually increases the likelihood of it happening. What a
>> planned rollover does do is provide more experience in the hopes that we can
>> recover more easily.
>> Of course, if the private key is lost or compromised, you can’t use 5011
>> for a rollover.
> Based on publicly available information there is physical access every six
> months per KMF.  I suggested to IKOS to have any planned key roll-over
> within that event.  That is to avoid any additional physical access [1].
>> Repeating part of a previous message:
>> "(a) there is no operational reason that forces the key to change, (b)
>> there is a risk — no matter how slight — that we might screw up, (c) it is
>> expensive and time consuming to drag the necessary people into the secure
>> facilities to spend the 2+ hours necessary to do the key handling
>> appropriately, and (d), it is likely that rolling the key _will_ break
>> things, the only question is how much and who will be affected."
> Nobody will want to authorize an emergency roll-over as (a) and (b) will
> weigh heavily against doing that.
> I am personally aware of (c).  I have never viewed the time as an issue; I
> am there to perform a task and I would like to see it done correctly.
> I agree that it is likely that rolling a key (d) will break things.  The
> discussions (not on this mailing list) about that have been about how much
> will break and who will be affected.
> Regards,
> S. Moonesamy
> 1. http://data.iana.org/ksk-ceremony/18/KSK18-CAM1.mp4
> _______________________________________________
> ksk-rollover mailing list
> ksk-rollover at icann.org
> https://mm.icann.org/mailman/listinfo/ksk-rollover

More information about the ksk-rollover mailing list