[ksk-rollover] followup of DNSSEC Workshop at ICANN64
S Moonesamy
sm+icann at elandsys.com
Sun Mar 17 23:14:36 UTC 2019
Hi Michael,
I would like to disclose that I am one of the Crypto Officers. For
the sake of transparency, I'll mention that my travel expenses for
the last KSK Ceremony were sponsored by ICANN. Please let me know if
you would like to have more information about that or anything else
which might cause a potential conflict of interest.
At 01:24 PM 17-03-2019, Michael Richardson wrote:
>Brute force is not the only attack: there are possible "Mission
>Impossible"-like exfiltration attacks against the HSM(s). Do these attacks
>depend upon how many keys there are? I don't think so.
After the last KSK Ceremony, there was a discussion with the Root
Zone Manager (Public Technical Identifiers) about the physical
controls for the facility [1] where some of the HSMs are located. I
took the concerns raised on the different threads [2] into account
for that discussion. The issue, as I see it, is not whether an
"exflitration attack" could happen; it is whether it will be detected
and publicly disclosed.
Regards,
S. Moonesamy
1. There are two facilities. I am commenting on the one which I have accessed.
2. As an example,
https://mm.icann.org/pipermail/ksk-rollover/2019-February/000646.html
More information about the ksk-rollover
mailing list