[ksk-change] planned vs. emergency (was Re: [ksk-rollover] root zone KSK ...)

Olaf Kolkman kolkman at isoc.org
Tue Sep 23 17:41:07 UTC 2014



> On 23 sep. 2014, at 19:11, Paul Hoffman <paul.hoffman at vpnc.org> wrote:
> 
>> On Sep 23, 2014, at 9:58 AM, David Conrad <david.conrad at icann.org> wrote:
>> 
>> Actually, I’d say it is about:
>> - what do we want to do in addition to rolling the key (e.g., longer key size, change algorithms, add more keys, etc)
>> - the exact methodology by which we will roll the key.
>> - how frequently will we roll the key
>> - what’s going to break when we roll the key (and how do we mitigate/remedy that breakage)
>> 
>> I see the “when” bit as a relatively minor detail once we get the above ironed out.
> 
> +1. In fact, the "when" is dependent on some of the earlier bits. For example, doing a key roll after adding a second key has completely different operational properties for ICANN, and for the relying parties, than rolling the single current key.


OK that clarifies.


--OK


More information about the ksk-rollover mailing list