[ksk-change] Keeping two KSK keys long term

[Joe Abley]

On 2 Oct 2014, at 13:13, Bolivar, Al <abolivar at verisign.com> wrote:

> In the scenario you are talking about the adversary would gain access to
> both HSMs at one of the facilities right? Then you could still use the
> other two HSMs you have at the other facility, provided they didn¹t get
> access to the smart cards (credentials) as well. You could then import the
> KSK into new HSMs via the APP cards.

It's of course possible that someone could gain unauthorised access to the HSMs in one facility without getting access to the corresponding credentials.

However, given that the details of where things are stored is surely well-known (it's documented and shown clearly in video that is made publicly available) it seems likely that any motivated attacker would not open the equipment safe and ignore the credentials safe which is sitting right next to it in the same cage.

The root zone KSK security design depends upon physical security of the facility, not significant separation between the HSMs and the credentials needed to use them. (The PINs associated with each smart card are also not secret; they all use the same PIN which is disclosed in ceremony scripts and in public video).

I'm not suggesting there's a flaw in the design here -- the decision to focus on physical security and associated controls and not to use secret PINs or credentials stored elsewhere was a measured, intentional one.


Joe