[ksk-rollover] Retention of the 2010 KSK CONSIDERED HARMFUL
Michael StJohns
msj at nthpermutation.com
Tue Apr 2 15:22:06 UTC 2019
On 4/2/2019 10:46 AM, Joe Abley wrote:
> Hi Mike,
>
> On 2 Apr 2019, at 09:33, Michael StJohns <msj at nthpermutation.com
> <mailto:msj at nthpermutation.com>> wrote:
>
>> It is a _*monumentally bad idea*_ to retain revoked key material -
>> especially when you don't actually have any way to use it.
>
> My concern is that we don't know if we have any way to use it until
> KSK rollovers stop being science projects.
Hoarding! I have no way of knowing if that necktie hanging on my rack
will ever come back into style, but it has a better chance of being
useful than your revoked key.
>
> The topic that prompted the concern was Warren raising Wouter's old
> trust anchor link proposal from the dead. I thought Wouter's proposal
> was a bad idea, years ago and I'm not sure whether Warren's current
> idea is best described as a recurring bad dream or a prodigal son
> returning, but it seems silly to rush to a conclusion when we don't
> need to.
Hoarding! It's a bad idea mainly because of the way time works and
that the keys are not policy bound to sign things bound in time. (e.g.
I can't tell the difference between an object with a timestamp of 1 jan
2010 signed on 1 jan 2010 and the same object with the same time stamp
signed in 2020). Because of that I can use a revoked key to sign data
that appears to have been signed before the key was revoked.
>
> What is the harm from keeping leaving the KSK-2010 smart cards that
> are already in the safe there for as long as it takes to have a stable
> plan in place for rolling the key? This is not a rhetorical question
> -- you know more about this stuff than I do, and I'm interested in
> your answer.
As long as the cards are around, the keys are usable. If it were a
perfect 5011 world, then that would be less of a problem as resolvers
would mark them as revoked ore remove them from the trust anchor set.
If you read 5011 you'll note that there's a housekeeping comment about
removing information from the trustanchor set after its no longer
useful. E.g. why hang on to the revoked key info for years on end when
you know that the key holders have destroyed the private key. What you
say? They didn't actually destroy the key??
In an ideal world, those keys should be no more useful than any randomly
generated key pair - e.g. they exist in no DNS root DNSKEY RRSet trust
anchor set in any resolver in the world. But 5011 cannot (and no
system can) result in perfect uptake by all resolvers of the fact of the
revocation of the keys and their deletion from the trust anchor set for
a given key - in this case 2010. Think of it this way - we think we've
defused the bomb, but it still contains explosives and can cause harm if
mishandled.
At this point two things are true: 1) The 2010 key set still exists,
and 2) there is at least one resolver out there that will still accept
that key as a trust anchor. Deleting the key set will make (2) a non-issue.
And given that there are humans involved, having yet another set of key
material that is nominally out of service but must be protected at the
same level of in-service key material increases the risk to all key
material some small amount. (i.e., you're spreading your focus
protecting things you really shouldn't have to be watching)
>
> Note that I'm not suggesting that old key materials be hoarded as a
> general principle; rather that since we don't yet know what we are
> doing, perhaps we shouldn't act as though we do.
Let's say it takes you 6 months (being generous, I think it will be a
year or so) to figure out what to do and socialize it and publish the
RFC. Take another 6 months to get uptake from the resolver vendors and
operators to actually implement it. Take another 6-12 months to get
sufficient coverage in the sales channel - call it 2 years for the sake
of argument. At that point I *really* hope that the 2017 key set has
bit the dust and we're on to 2019 or later. Given that we're concerned
with the state of the root trust anchor set, and as of today the
publisher thinks that 2010 is a dead key why would you include it in any
representation of the state of the set going forward from this point?
Answer - you wouldn't.
Problem for the reader: the original netscape browser contained lots of
keys in its trust anchor set. How many of those are still in modern
browsers, and do any browsers contain a history of the supercession of
those keys? Argue that it would be a good idea to keep a history of
those keys so that a browser that's been offline for two years can get
to the current trust set without updating the software of the 1999
version of Netscape.
Later, Mike
>
>
> Joe
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mm.icann.org/pipermail/ksk-rollover/attachments/20190402/4b5eb05a/attachment.html>
More information about the ksk-rollover
mailing list