[ksk-rollover] followup of DNSSEC Workshop at ICANN64

S Moonesamy sm+icann at elandsys.com
Sun Mar 17 23:14:36 UTC 2019

Hi Michael,

I would like to disclose that I am one of the Crypto Officers.  For 
the sake of transparency, I'll mention that my travel expenses for 
the last KSK Ceremony were sponsored by ICANN.  Please let me know if 
you would like to have more information about that or anything else 
which might cause a potential conflict of interest.

At 01:24 PM 17-03-2019, Michael Richardson wrote:
>Brute force is not the only attack: there are possible "Mission
>Impossible"-like exfiltration attacks against the HSM(s). Do these attacks
>depend upon how many keys there are?  I don't think so.

After the last KSK Ceremony, there was a discussion with the Root 
Zone Manager (Public Technical Identifiers) about the physical 
controls for the facility [1] where some of the HSMs are located. I 
took the concerns raised on the different threads [2] into account 
for that discussion.  The issue, as I see it, is not whether an 
"exflitration attack" could happen; it is whether it will be detected 
and publicly disclosed.

S. Moonesamy

1. There are two facilities.  I am commenting on the one which I have accessed.
2. As an example, 

More information about the ksk-rollover mailing list