[ksk-rollover] Rollover 2.0?

Michael Richardson mcr at sandelman.ca
Mon Mar 14 21:52:40 UTC 2022

James Mitchell via ksk-rollover <ksk-rollover at icann.org> wrote:
    > We were starting our planning for the next KSK rollover in 2020 when
    > the pandemic forced us to alter our plans.


    > considering a return to normal operations for KSK ceremonies. Another
    > key consideration will also be both the ability and willingness of
    > other participants to travel - even when ICANN updates its corporate
    > policy we will need a quorum of third-party participants (TCRs, staff,
    > auditors, etc.) to be present as well.

While I think that we need to do the next roll-over as per current
proceedures, I wonder if/how we could discuss changes to the proceedures
to make the KSK rollover less vulnerable to world events.

For instance, if/when we move to elliptic curve for the root, we might be
able to make use of threshold modes.   draft-hallambaker-threshold-06.

How exactly we do this, I don't exactly know yet, but the point is that we
the math lets us generate/maintain keys in multiple locations, and generate
signatures which are then combined without having to be in one place.

There is an increasing push to embed device identities keys in everything,
and that requires maintenance of hundreds of private PKIs in the industry.
The DNSSEC KSK is a very public and very much gold-plated process that the
industry looks to.  Not necessarily because it is the best or most secure,
but because it's the most visible example to emulate.

Can we get an equivalent or better level of security, at a lower cost?
(in terms of Dollars, CO2, and sensitivity to world situation)
Can the result become exemplar?

]               Never tell me the odds!                 | ipv6 mesh networks [
]   Michael Richardson, Sandelman Software Works        |    IoT architect   [
]     mcr at sandelman.ca  http://www.sandelman.ca/        |   ruby on rails    [

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 487 bytes
Desc: not available
URL: <https://mm.icann.org/pipermail/ksk-rollover/attachments/20220314/9d9a8d39/signature.asc>

More information about the ksk-rollover mailing list