[ksk-rollover] Root Zone KSK Rollover and HSM Update

Tomofumi Okubo tomofumi.okubo at digicert.com
Thu Aug 3 21:41:19 UTC 2023


Hello Mike,

Yes, I understand it won’t help with the existing/current keys on Keyper which are not exportable.

As KMIP allows us to move keys from one HSM to another (different vendor) I thought it would help with vendor lock-ins going forward. “Going forward” is when a different HSM is being selected.

Although, it seems like a good number of Keypers are secured before the EoL so I suppose we are good for quite a while. Plenty of time to think what to do.

Cheers!
Tomofumi

From: ksk-rollover <ksk-rollover-bounces at icann.org> On Behalf Of Michael StJohns via ksk-rollover
Sent: Friday, August 4, 2023 3:57 AM
To: ksk-rollover at icann.org
Subject: Re: [ksk-rollover] Root Zone KSK Rollover and HSM Update

Hi Tomofumi -

KMIP is probably not relevant to this problem.  The problem I think you're trying to solve here is not one of interface (how to talk to the keys), but of key protection.

Mike

On 8/2/2023 2:35 AM, Tomofumi Okubo via ksk-rollover wrote:
There is not much you can do with the existing keys but still, KMIP is something to consider going forward if one is concerned about vendor lock-ins.
Needless to say, like anything else, there is a tradeoff.

Cheers!
T.

On Mon, Jul 31, 2023 at 11:23 PM Jakob Schlyter via ksk-rollover <ksk-rollover at icann.org<mailto:ksk-rollover at icann.org>> wrote:
On 2023-07-31 at 14:53, Frederico A C Neves via ksk-rollover wrote:

> From our experience besides admin interfaces, standard APIs for
> regular operations, generating keys, sign, verify etc... are available
> (PKCS#11/KMIP) from multiple vendors. But exporting/importing a key,
> specially with the no-export attribute set, among vendors is not
> available.

I concur; moving keys not marked as CKA_EXTRACTABLE (at time of generation) is generally not supported (due to FIPS requirements).

        jakob

--
Jakob Schlyter
Kirei AB - www.kirei.se<http://www.kirei.se>
_______________________________________________
ksk-rollover mailing list
ksk-rollover at icann.org<mailto:ksk-rollover at icann.org>
https://mm.icann.org/mailman/listinfo/ksk-rollover

_______________________________________________
By submitting your personal data, you consent to the processing of your personal data for purposes of subscribing to this mailing list accordance with the ICANN Privacy Policy (https://www.icann.org/privacy/policy) and the website Terms of Service (https://www.icann.org/privacy/tos). You can visit the Mailman link above to change your membership status or configuration, including unsubscribing, setting digest-style delivery or disabling delivery altogether (e.g., for a vacation), and so on.



_______________________________________________

ksk-rollover mailing list

ksk-rollover at icann.org<mailto:ksk-rollover at icann.org>

https://mm.icann.org/mailman/listinfo/ksk-rollover



_______________________________________________

By submitting your personal data, you consent to the processing of your personal data for purposes of subscribing to this mailing list accordance with the ICANN Privacy Policy (https://www.icann.org/privacy/policy) and the website Terms of Service (https://www.icann.org/privacy/tos). You can visit the Mailman link above to change your membership status or configuration, including unsubscribing, setting digest-style delivery or disabling delivery altogether (e.g., for a vacation), and so on.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mm.icann.org/pipermail/ksk-rollover/attachments/20230803/13b73d75/attachment-0001.html>


More information about the ksk-rollover mailing list