[ksk-rollover] ICANN to generate new KSK
Michael StJohns
msj at nthpermutation.com
Thu Feb 29 18:21:24 UTC 2024
Hi -
The product brief for the Luna USB G7 doesn't provide a lot of data.
The previous HSM provided level four hardware protection - e.g. a tamper
perimeter and the ability to zeroize the keys if someone tried to decap
the thing. That's almost entirely dependent on having a constant power
source - usually a three stage line/battery/capacitor model.
On the PCI cards, there's a Li ion battery - a rather large one - on the
card just in front of the tamper covered HSM engine. See
https://thalesdocs.com/gphsm/luna/7/docs/pci/Content/install/pci_hw_install/battery_replace.htm
The older luna USB HSM had a battery compartment - I can't see one on
the images I've been able to find of the current one. It was also a
most Level 2 device with L3 security.
My questions are these: Is there an internal battery? Is it replaceable?
How often does this USB HSM need to be plugged into power to maintain
the internal battery? What happens if you leave it in a safe for a year
- or alternately, how long can the unit remain unplugged before it wipes
its keys? What's the lifetime of the battery before replacement?
Later, Mike
On 2/28/2024 7:20 PM, James Mitchell via ksk-rollover wrote:
>
> ICANN has announced the schedule to generate the next KSK.
>
> Generating a new KSK restarts the process announced last year, which
> was suspended after it was identified that a supplier of key equipment
> used to store the KSK (known as a Hardware Security Module, or HSM)
> would be exiting the business during the expected lifespan of the new KSK.
>
> The next KSK will be generated on new Thales Luna USB G7 HSMs.
>
> The announcement and information regarding the new HSMs is published
> at
> https://www.icann.org/en/announcements/details/icann-to-generate-new-dns-cryptographic-key-at-april-2024-ceremony-28-02-2024-en.
>
> James Mitchell
>
> IANA
>
>
> _______________________________________________
> ksk-rollover mailing list
> ksk-rollover at icann.org
> https://mm.icann.org/mailman/listinfo/ksk-rollover
>
> _______________________________________________
> By submitting your personal data, you consent to the processing of your personal data for purposes of subscribing to this mailing list accordance with the ICANN Privacy Policy (https://www.icann.org/privacy/policy) and the website Terms of Service (https://www.icann.org/privacy/tos). You can visit the Mailman link above to change your membership status or configuration, including unsubscribing, setting digest-style delivery or disabling delivery altogether (e.g., for a vacation), and so on.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mm.icann.org/pipermail/ksk-rollover/attachments/20240229/2934b7d9/attachment.html>
More information about the ksk-rollover
mailing list