[Dnssec-deployment] Root key rolling (was NIST guidance as to DNSSEC and others)

bert hubert bert.hubert at netherlabs.nl
Thu Feb 9 04:07:32 EST 2012

On Wed, Feb 08, 2012 at 07:48:17PM -0500, Michael StJohns wrote:
> A key on the HSM can be compromised:
>   via compromise of the HSM hardware, 
>   a fault in the HSM firmware
>   by theft of the HSM along with the activation credentials, 
>   by theft of the HSM master keys (not sure the HSM you're using has externalized master keys - so) and the encrypted back up material.

The HSM itself might be broadcasting its secret keys over a cell phone
frequency for all you know.  Unless you keep it well underground and
permanently out of the (RF) way of people you don't trust, you are basically
putting your faith in the HSM vendor and anyone that had access to the
device before you did.

I realize this is a rather elevated level of paranoia, but an HSM is not
magic. Internally most of them are 'just computers'. Smart cards too are not
filled with pixie dust.

They do not provide a principal barrier, they mostly elevate the barrier a
lot for most adversaries.


More information about the Dnssec-deployment mailing list