[ksk-rollover] Root Zone KSK Rollover and HSM Update
Tomofumi Okubo
tomofumi.okubo at gmail.com
Wed Aug 2 06:35:58 UTC 2023
There is not much you can do with the existing keys but still, KMIP is
something to consider going forward if one is concerned about vendor
lock-ins.
Needless to say, like anything else, there is a tradeoff.
Cheers!
T.
On Mon, Jul 31, 2023 at 11:23 PM Jakob Schlyter via ksk-rollover <
ksk-rollover at icann.org> wrote:
> On 2023-07-31 at 14:53, Frederico A C Neves via ksk-rollover wrote:
>
> > From our experience besides admin interfaces, standard APIs for
> > regular operations, generating keys, sign, verify etc... are available
> > (PKCS#11/KMIP) from multiple vendors. But exporting/importing a key,
> > specially with the no-export attribute set, among vendors is not
> > available.
>
> I concur; moving keys not marked as CKA_EXTRACTABLE (at time of
> generation) is generally not supported (due to FIPS requirements).
>
> jakob
>
> --
> Jakob Schlyter
> Kirei AB - www.kirei.se
> _______________________________________________
> ksk-rollover mailing list
> ksk-rollover at icann.org
> https://mm.icann.org/mailman/listinfo/ksk-rollover
>
> _______________________________________________
> By submitting your personal data, you consent to the processing of your
> personal data for purposes of subscribing to this mailing list accordance
> with the ICANN Privacy Policy (https://www.icann.org/privacy/policy) and
> the website Terms of Service (https://www.icann.org/privacy/tos). You can
> visit the Mailman link above to change your membership status or
> configuration, including unsubscribing, setting digest-style delivery or
> disabling delivery altogether (e.g., for a vacation), and so on.
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mm.icann.org/pipermail/ksk-rollover/attachments/20230802/5cfbd34c/attachment.html>
More information about the ksk-rollover
mailing list