[ksk-rollover] Root Zone KSK Rollover and HSM Update

Michael StJohns msj at nthpermutation.com
Thu Aug 3 18:57:22 UTC 2023 

Hi Tomofumi -

KMIP is probably not relevant to this problem.  The problem I think 
you're trying to solve here is not one of interface (how to talk to the 
keys), but of key protection.

Mike

On 8/2/2023 2:35 AM, Tomofumi Okubo via ksk-rollover wrote:
> There is not much you can do with the existing keys but still, KMIP is 
> something to consider going forward if one is concerned about vendor 
> lock-ins.
> Needless to say, like anything else, there is a tradeoff.
>
> Cheers!
> T.
>
> On Mon, Jul 31, 2023 at 11:23 PM Jakob Schlyter via ksk-rollover 
> <ksk-rollover at icann.org> wrote:
>
>     On 2023-07-31 at 14:53, Frederico A C Neves via ksk-rollover wrote:
>
>     > From our experience besides admin interfaces, standard APIs for
>     > regular operations, generating keys, sign, verify etc... are
>     available
>     > (PKCS#11/KMIP) from multiple vendors. But exporting/importing a key,
>     > specially with the no-export attribute set, among vendors is not
>     > available.
>
>     I concur; moving keys not marked as CKA_EXTRACTABLE (at time of
>     generation) is generally not supported (due to FIPS requirements).
>
>             jakob
>
>     -- 
>     Jakob Schlyter
>     Kirei AB - www.kirei.se <http://www.kirei.se>
>     _______________________________________________
>     ksk-rollover mailing list
>     ksk-rollover at icann.org
>     https://mm.icann.org/mailman/listinfo/ksk-rollover
>
>     _______________________________________________
>     By submitting your personal data, you consent to the processing of
>     your personal data for purposes of subscribing to this mailing
>     list accordance with the ICANN Privacy Policy
>     (https://www.icann.org/privacy/policy) and the website Terms of
>     Service (https://www.icann.org/privacy/tos). You can visit the
>     Mailman link above to change your membership status or
>     configuration, including unsubscribing, setting digest-style
>     delivery or disabling delivery altogether (e.g., for a vacation),
>     and so on.
>
>
> _______________________________________________
> ksk-rollover mailing list
> ksk-rollover at icann.org
> https://mm.icann.org/mailman/listinfo/ksk-rollover
>
> _______________________________________________
> By submitting your personal data, you consent to the processing of your personal data for purposes of subscribing to this mailing list accordance with the ICANN Privacy Policy (https://www.icann.org/privacy/policy) and the website Terms of Service (https://www.icann.org/privacy/tos). You can visit the Mailman link above to change your membership status or configuration, including unsubscribing, setting digest-style delivery or disabling delivery altogether (e.g., for a vacation), and so on.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mm.icann.org/pipermail/ksk-rollover/attachments/20230803/40d42107/attachment.html>

More information about the ksk-rollover mailing list