[ksk-change] planned vs. emergency (was Re: [ksk-rollover] root zone KSK ...)

Paul Hoffman paul.hoffman at vpnc.org
Tue Sep 23 17:10:24 UTC 2014

On Sep 23, 2014, at 9:58 AM, David Conrad <david.conrad at icann.org> wrote:

> Actually, I’d say it is about:
> - what do we want to do in addition to rolling the key (e.g., longer key size, change algorithms, add more keys, etc)
> - the exact methodology by which we will roll the key.
> - how frequently will we roll the key
> - what’s going to break when we roll the key (and how do we mitigate/remedy that breakage)
> I see the “when” bit as a relatively minor detail once we get the above ironed out.

+1. In fact, the "when" is dependent on some of the earlier bits. For example, doing a key roll after adding a second key has completely different operational properties for ICANN, and for the relying parties, than rolling the single current key.

--Paul Hoffman
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 455 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://mm.icann.org/pipermail/ksk-rollover/attachments/20140923/d7eb68e2/signature.asc>

More information about the ksk-rollover mailing list