[ksk-rollover] Thales Luna Credentials questions

Mon Mar 4 22:00:25 UTC 2024

Hi Will,

Andres and I perform the same role, and I can answer your questions as well. Please see responses in line:

>COs will be given a full set of iKeys.
>RKSHs will only be given Domain and CO cards
>Domain cards will be 5 out of 7
>All other cards will be 3 out of 7
>The backup will now be on a different HSM

This is correct. The backups are on a dedicated backup HSM. They appear identical to the standard HSMs, but have a different firmware to be clear.

>In my first email I asked the question:
>What credentials will be required to apply existing cards to a new HSM?
>by this I was referring to transferring the new credentials (Domain, Audit, CO, SO) between all of the different Thales Luna HSMs 

During the initial setup of an HSM one is prompted to create a new set of credentials or import an existing set of credentials. If one opts to import an existing set of credentials, the HSM requires the M in the M of N (either 3 or 5 depending on the credential in question here) to be inserted into the HSM, and with that, the import is complete. On Day 2 we plan to configure the first HSM and generate all of the credential sets that are required, clone the individual credentials until we have what is required for distribution to all TCRs, and then import these credentials to the remaining HSMs to be configured that day.

We have 2 Luna G7 signing HSMs and 2 Luna G7 backup HSMs for testing in our possession and have performed test scenarios on the hardware to ensure our logic is sound. This coupled with the Thales documentation allows us to ensure accuracy with the ceremony scripts.

>In your reply to Micha you state that new HSMs are to be added every two to three years. However looking at the previous scripts quite a few of the recent ones involve new HSMs. Is this just to do with the lifecycle of the originals?

In recent ceremonies we introduced new Keyper HSMs to replace aging units (HSMs 5 and 6 for both KMFs) to ensure their lifecycles would exceed the remaining lifecycle of the current KSK-2017. This will allow us a lengthy pre-publication period of the KSK-2024 slated for generation this April on the new equipment before the rollover date scheduled in 2026. You may read more about the key rollover phases here: https://www.icann.org/en/system/files/files/proposal-future-rz-ksk-rollovers-01nov19-en.pdf

The plan with Luna HSMs Is to align the lifecycle of the signing HSMs with the lifecycle of the KSKs they contain. Additionally, we plan to introduce additional backup HSMs approximately midway through a key’s lifecycle so we’ll have backup HSMs manufactured at different times going forward. This plan provides the 2-3 year cadence Andres previously mentioned.   

>Finally I notice that KSK Ceremony 53 is split into two parts. Will the second part (Introducing the new HSMs) be live streamed the same way as the normal ceremony?

Yes. We have separate ceremony pages set up for the two ceremony days, and each will have its own embedded YouTube livestream link. Each day will have its own annotated script and ceremony artefacts posted afterward as is customary.

>I apologise for all the questions but it doesn't help that I only started learning about DNSSEC and the KSK about 3 months ago.

It sounds like you’re off to a great start. We don’t mind the questions. Our goal is to promote awareness and trust in the process, so we are here to serve that purpose.

-Aaron

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mm.icann.org/pipermail/ksk-rollover/attachments/20240304/fbe64e25/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4860 bytes
Desc: not available
URL: <https://mm.icann.org/pipermail/ksk-rollover/attachments/20240304/fbe64e25/smime-0001.p7s>