<div><br><div class="gmail_quote"><div dir="auto">On Fri, Jan 5, 2018 at 13:42 David Conrad <<a href="mailto:david.conrad@icann.org">david.conrad@icann.org</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div style="word-wrap:break-word">
<div id="m_5159178407504468633bloop_customfont" style="font-family:Helvetica,Arial;font-size:13px;color:rgba(0,0,0,1.0);margin:0px;line-height:auto">
Doug,</div></div><div style="word-wrap:break-word">
<br>
<div id="m_5159178407504468633bloop_sign_1515176431207238912" class="m_5159178407504468633bloop_sign">On January 4, 2018 at 11:50:02 PM, Doug Barton (<a href="mailto:dougb@dougbarton.email" target="_blank">dougb@dougbarton.email</a>) wrote:</div>
<div>
<blockquote type="cite" class="m_5159178407504468633clean_bq" style="font-family:Helvetica,Arial;font-size:13px;font-style:normal;font-variant-caps:normal;font-weight:normal;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px">
<span>
<div>
<div></div>
<div>Since a little before September when the 8145 data started rolling in<span class="m_5159178407504468633Apple-converted-space"> </span><br>
all I've heard discussed is the risk to the deployed base if we do the<span class="m_5159178407504468633Apple-converted-space"> </span><br>
roll and their stuff breaks. But there is another, arguably greater risk<span class="m_5159178407504468633Apple-converted-space"> </span><br>
that is not being discussed, what happens if we get ourselves into a<span class="m_5159178407504468633Apple-converted-space"> </span><br>
position where we are forced to do an emergency roll? (The common<span class="m_5159178407504468633Apple-converted-space"> </span><br>
scenarios for that are key compromise, which is very unlikely but not<span class="m_5159178407504468633Apple-converted-space"> </span><br>
impossible, and alg failure.)<span class="m_5159178407504468633Apple-converted-space"> </span></div>
</div>
</span></blockquote>
</div>
</div><div style="word-wrap:break-word"><p>If they key gets lost or compromised, my understanding is that we cannot use RFC 5011 to do the roll and must fall back to doing an out-of-band key rollover. We aren’t really exercising this under this iteration of the community defined KSK rollover plan.</p></div></blockquote><div dir="auto"><br></div><div dir="auto">Um. No. </div><div dir="auto"><br></div><div dir="auto">In fact, at this point you’re closer to being able to use 5011 as I designed it than ever before. I.e., you have two trust Anchors. If you want to be able to support key compromise and emergency replacement the next step is to add anchor C . The step after that is to revoke the current (old/original) trust anchorA. Keep C’s private key off line and in threshold pieces. Sign the DNSKEY RRSet with B.</div><div dir="auto"><br></div><div dir="auto">Later, Mike</div><div dir="auto"><br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div style="word-wrap:break-word"><p></p>
<div></div></div><div style="word-wrap:break-word"><div>
<div>
<blockquote type="cite" class="m_5159178407504468633clean_bq" style="font-family:Helvetica,Arial;font-size:13px;font-style:normal;font-variant-caps:normal;font-weight:normal;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px">
<span>
<div>
<div>There are only two conditions that can be true at this point:</div>
</div>
</span></blockquote>
</div>
</div></div><div style="word-wrap:break-word"><div><div>
<div>
<blockquote type="cite" class="m_5159178407504468633clean_bq" style="font-family:Helvetica,Arial;font-size:13px;font-style:normal;font-variant-caps:normal;font-weight:normal;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px">
<span>
<div>
<div>[…]<br>
If #1 is true we should do the roll ASAP […]<br>
If #2 is true we should do the roll ASAP […]</div>
</div>
</span></blockquote>
</div>
<p>As I’ve noted previously, this would appear to argue that SAC-063 rec#3 should not have been made and that the amount of “breakage” is irrelevant. It would be nice if SSAC were to weigh in on this.</p>
<p>Regards,</p>
<p>-drc</p>
<p><br>
</p>
<div></div>
</div>
</div>
</div>
_______________________________________________<br>
ksk-rollover mailing list<br>
<a href="mailto:ksk-rollover@icann.org" target="_blank">ksk-rollover@icann.org</a><br>
<a href="https://mm.icann.org/mailman/listinfo/ksk-rollover" rel="noreferrer" target="_blank">https://mm.icann.org/mailman/listinfo/ksk-rollover</a><br>
</blockquote></div></div>