[ksk-rollover] Suggested update to the key ceremonies.

Matt Larson matt at kahlerlarson.org
Wed Feb 21 20:53:16 UTC 2018


> On Feb 21, 2018, at 11:50 AM, Michael StJohns <msj at nthpermutation.com <mailto:msj at nthpermutation.com>> wrote:
> 
>>> So if you're really going down this path, you've probably got a lot more work than just checking against older KSKs.
>> I fully disagree with this, and with Ed's assertions. Checking for a matching key tag in the current and previous KSK set is sufficient to reduce ambiguity for manual use of key tags, which is what Warren's suggestion was about.
> So what you're saying is that you're going to conditionally repeat an operation that has a ritual associated with it  (and indeed modify the ritual so this happens) until you get non-matching key tags for the sole purpose of someone later on looking at the key and saying "not a match".   A complex ritual with specific requirements and a large cost in human time... OK.

It's not like we'd hold an entire ceremony to generate a new root KSK, leave the room and go, "Whoops! Duplicate key tag! Better do that all over again!". Instead we'd just change the key generation code to look for key tag collections against a list of current/former/whatever keys and immediately generate another key if there's a collision.

Matt



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mm.icann.org/pipermail/ksk-rollover/attachments/20180221/da23d880/attachment-0001.html>


More information about the ksk-rollover mailing list