[ksk-rollover] Why keep old private keys?
Geoff Huston
gih at apnic.net
Wed Apr 3 20:31:28 UTC 2019
> On 4 Apr 2019, at 1:59 am, Salz, Rich via ksk-rollover <ksk-rollover at icann.org> wrote:
> If you think you’ll need something signed, then sign the new key and then destroy the HSM.
>
It may be that this is all we might need to do. But the days of PTI making pre-emptory decisions on such matters are probably long gone, if they ever existed. Even if all we would like from the KSK-2010 is to sign over KSK-2017 then its my understanding that the PTI requires some form of community consensus that this is an appropriate final use of KSK-2010 before its destruction. (I am not sure if this use of KSK-2010 would be within scope of the existing DPS or not, btw).
Geoff
More information about the ksk-rollover
mailing list