[Dnssec-deployment] Root key rolling (was NIST guidance as to DNSSEC and others)

Tue Feb 7 19:48:01 EST 2012

I haven't gone back to the DSP documents, but for some reason I seem to remember that there are copies of the keys on back up material in an N of K type system.  Smart cards?  Am I wrong?

If I'm not wrong then why would you keep the back-up key anywhere near the live key?  Why would you think that the only security for the back up key would be having a second system identical to the first?

I could design a system that works appropriately - I'm not sure why you think ICANN couldn't.

As Adam Savage said on Mythbusters "I reject your reality and substitute my own".

Mike

At 05:22 PM 2/7/2012, Joe Abley wrote:
>Hi,
>
>On 2012-02-07, at 16:39, Michael StJohns wrote:
>
>> 5011 was actually designed for emergency roll-over, but someone wasn't paying attention to the requirements when they wrote the root key management plan.
>
>Sorry, yes, I misspoke. I was using "5011" loosely, in the sense to which it is referred to in the DPS; that is, a scheduled key rollover will use timers taken from RFC 5011.
>
>Today we have precisely two autonomous and (largely) identical key management facilities which are used to store the KSK (there's a copy of the key materials in each of the two KMFs). They are both regularly exercised; we alternate between KMFs for successive key ceremonies.
>
>Any standby key needs equivalent security and an equivalently-comprehensive chain of custody to the active key, since it might one day become the active key.
>
>With the resources at our disposal today, the only places we could reasonably store the standby keys are the same KMFs that are used to store the active key.
>
>This means the threat of compromise for both active and standby keys are essentially identical; i.e. in any practical scenario, if we need to consider the active key compromised, we also need to assume that the standby key is compromised. We can't follow an emergency key roll using the method you outlined (from 5011) if both active and standby keys are compromised.
>
>The only way I can see that we *could* use that method is if we stored standby key material in a pair of entirely different, but equivalent KMFs dedicated to that purpose. That equivalence would be potentially hard to arrange (and assess) given the need for the facilities to be usefully different.
>
>So, in summary, I hear what you're saying but I'm not at all convinced I know how we (a) could have built that, and (b) could build it now, even ignoring the substantial additional cost in money, time and complexity that would be involved.
>
>
>Joe