[ksk-change] planned vs. emergency (was Re: [ksk-rollover] root zone KSK ...)
S Moonesamy
sm+icann at elandsys.com
Mon Sep 22 15:50:47 UTC 2014
Hi David,
At 07:29 22-09-2014, David Conrad wrote:
>If the risk is physical access, then the
>implication of a planned rollover is that that
>physical access occurs (much) more frequently
>than if the physical access is limited to the
>times when emergency rollover is needed. As
>such, it actually increases the likelihood of it
>happening. What a planned rollover does do is
>provide more experience in the hopes that we can recover more easily.
>
>Of course, if the private key is lost or
>compromised, you can’t use 5011 for a rollover.
Based on publicly available information there is
physical access every six months per KMF. I
suggested to IKOS to have any planned key
roll-over within that event. That is to avoid
any additional physical access [1].
>Repeating part of a previous message:
>
>"(a) there is no operational reason that forces
>the key to change, (b) there is a risk — no
>matter how slight — that we might screw up, (c)
>it is expensive and time consuming to drag the
>necessary people into the secure facilities to
>spend the 2+ hours necessary to do the key
>handling appropriately, and (d), it is likely
>that rolling the key _will_ break things, the
>only question is how much and who will be affected."
Nobody will want to authorize an emergency
roll-over as (a) and (b) will weigh heavily against doing that.
I am personally aware of (c). I have never
viewed the time as an issue; I am there to
perform a task and I would like to see it done correctly.
I agree that it is likely that rolling a key (d)
will break things. The discussions (not on this
mailing list) about that have been about how much
will break and who will be affected.
Regards,
S. Moonesamy
1. http://data.iana.org/ksk-ceremony/18/KSK18-CAM1.mp4
More information about the ksk-rollover
mailing list