[ksk-rollover] Thales Luna Credentials questions

Andres Pavez andres.pavez at iana.org
Mon Mar 4 15:21:17 UTC 2024 

Hi Will,
Please see my comments inline below.

On Sun, Mar 03, 2024 at 07:18:26PM +0000, Will Tubby via ksk-rollover wrote:
> Hi,
> 
> I have a few questions about the key cards.
> 
> From looking at the document linked in response to mike I believe that the
> CO and SO cards act the same as they did on the Keyper. It also appears
> that the AAK and APP cards are combined to form the domain cards. Is this
> correct?
> 

No. They have similarities but work with different concepts. For example, Luna products have partitions, and for each partition, you can have different SO. We have decided to use the same SO credentials to manage the HSM and manage one partition that will have the KSK.
The AAK for the Keyper allows you to use the same credentials (OP, SO, and CO) in another Keyper that has the same AAK.
The APP key is protected by the SMK. 
In the Luna, the keys are protected by the Domain and CO Keys.

> I can not seem to find an alternative to the OP cards, is there a reason
> for this.
> 

The keyper OP cars are only used to put the HSM online. 
Using the Luna, we will use the SO credential to take the HSM out of Secure Transport Mode (STM), then the CO cards tot the Luna HSM "online" too.

> Additionally I can not seem to find a replacement for SMK cards.
> 

I can say that the Domain and CO credentials combined can act similarly to the SMK.

> I attempted to investigate myself and found that when the SMK cards were
> used to set up a new HSM only 3 cards were used and they were already in
> the KMF. I thought that SMK cards are held by RKSHs and that 5 are
> required, not 3.
> 

Yes, we split the SMK for the COs in a 3 of 7 schema to allow us to introduce new HSMs. This was a plan created in 2019 and implemented in 2022 and 2023 when we reissued all the credentials for the COs in both KMFs.

> Also a backup HSM is mentioned in the document. Is this in place of an APP
> card?

No. The backups HSMs will contain the KSK, and access to these backup HSMs will require both Domain and CO credentials. A backup HSM can only store keys and cannot perform cryptographic operations.

> 
> What credentials will be required to transfer a KSK to a new HSM?
> 

To transfer the KSK from the Luna HSM to another Luna HSM or backup HSM at least the Domain and the CO credentials are required. For operations, we will use all the same credentials (CO, SO, Domain and Audit).

> What credentials will be required to apply existing cards to a new HSM?
> 

The new Luna HSM uses a different type of credential. They are not compatible with the Keyper.

> What credentials will be required to decrypt the KSK backup?
> 

For Keyper HSMs, one needs the SMK to import an APP key backup. 
For Luna HSMs, one needs to use the Domain and CO credentials to access a Luna Backup HSM.

> 
> Kind Regards
> 
> Will
> _______________________________________________
> ksk-rollover mailing list
> ksk-rollover at icann.org <mailto:ksk-rollover at icann.org> <mailto:ksk-rollover at icann.org <mailto:ksk-rollover at icann.org>> <mailto:ksk-rollover at icann.org <mailto:ksk-rollover at icann.org> <mailto:ksk-rollover at icann.org <mailto:ksk-rollover at icann.org>>>
> https://mm.icann.org/mailman/listinfo/ksk-rollover <https://mm.icann.org/mailman/listinfo/ksk-rollover> <https://mm.icann.org/mailman/listinfo/ksk-rollover> <https://mm.icann.org/mailman/listinfo/ksk-rollover>> <https://mm.icann.org/mailman/listinfo/ksk-rollover> <https://mm.icann.org/mailman/listinfo/ksk-rollover>> <https://mm.icann.org/mailman/listinfo/ksk-rollover>> <https://mm.icann.org/mailman/listinfo/ksk-rollover&gt;>>
> 
> _______________________________________________
> By submitting your personal data, you consent to the processing of your personal data for purposes of subscribing to this mailing list accordance with the ICANN Privacy Policy (https://www.icann.org/privacy/policy <https://www.icann.org/privacy/policy> <https://www.icann.org/privacy/policy> <https://www.icann.org/privacy/policy>> <https://www.icann.org/privacy/policy> <https://www.icann.org/privacy/policy>> <https://www.icann.org/privacy/policy>> <https://www.icann.org/privacy/policy&gt;>>) and the website Terms of Service (https://www.icann.org/privacy/tos <https://www.icann.org/privacy/tos> <https://www.icann.org/privacy/tos> <https://www.icann.org/privacy/tos>> <https://www.icann.org/privacy/tos> <https://www.icann.org/privacy/tos>> <https://www.icann.org/privacy/tos>> <https://www.icann.org/privacy/tos&gt;>>). You can visit the Mailman link above to change your membership status or configuration, including unsubscribing, setting digest-style delivery or disabling delivery altogether (e.g., for a vacation), and so on.

Best regards,
-- 
Andres Pavez
Cryptographic Key Manager
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4863 bytes
Desc: not available
URL: <https://mm.icann.org/pipermail/ksk-rollover/attachments/20240304/e017afe0/smime.p7s>

More information about the ksk-rollover mailing list