[ksk-rollover] Why keep old private keys?

Geoff Huston gih at apnic.net
Wed Apr 3 20:31:28 UTC 2019

> On 4 Apr 2019, at 1:59 am, Salz, Rich via ksk-rollover <ksk-rollover at icann.org> wrote:
>  If you think you’ll need something signed, then sign the new key and then destroy the HSM.

It may be that this is all we might need to do. But the days of PTI making pre-emptory decisions on such matters are probably long gone, if they ever existed. Even if all we would like from the KSK-2010 is to sign over KSK-2017 then its my understanding that the PTI requires some form of community consensus that this is an appropriate final use of KSK-2010 before its destruction. (I am not sure if this use of KSK-2010 would be within scope of the existing DPS or not, btw).


More information about the ksk-rollover mailing list