<div dir="ltr">There is not much you can do with the existing keys but
still, KMIP is something to consider going forward if one is concerned
about vendor lock-ins.<div>Needless to say, like anything else, there
is a tradeoff.</div><div><br></div><div>Cheers!</div><div>T.</div></div><br><div
class="gmail_quote"><div dir="ltr" class="gmail_attr">On Mon, Jul 31,
2023 at 11:23 PM Jakob Schlyter via ksk-rollover <<a href="mailto:
ksk-rollover(a)icann.org">ksk-rollover(a)icann.org
</a>> wrote:<br></div><blockquote class="gmail_quote"
style="margin:0px 0px 0px 0.8ex;border-left:1px solid
rgb(204,204,204);padding-left:1ex">On 2023-07-31 at 14:53, Frederico A
C Neves via ksk-rollover wrote:<br>
<br>
> From our experience besides admin interfaces, standard APIs for<br>
> regular operations, generating keys, sign, verify etc... are available<br>
> (PKCS#11/KMIP) from multiple vendors. But exporting/importing a key,<br>
> specially with the no-export attribute set, among vendors is not<br>
> available.<br>
<br>
I concur; moving keys not marked as CKA_EXTRACTABLE (at time of
generation) is generally not supported (due to FIPS requirements).<br>
<br>
    jakob<br>
<br>
-- <br>
Jakob Schlyter<br>
Kirei AB - <a href="http://www.kirei.se" rel="noreferrer" target="_blank">
www.kirei.se</a><br>
_______________________________________________<br>
ksk-rollover mailing list<br>
<a href="mailto:ksk-rollover@icann.org" target="_blank">
ksk-rollover(a)icann.org</a><br>
<a href="https://mm.icann.org/mailman/listinfo/ksk-rollover
" rel="noreferrer" target="_blank">
https://mm.icann.org/mailman/listinfo/ksk-rollover</a><br>
<br>
_______________________________________________<br>
By submitting your personal data, you consent to the processing of
your personal data for purposes of subscribing to this mailing list
accordance with the ICANN Privacy Policy (<a href="
https://www.icann.org/privacy/policy" rel="noreferrer" target="_blank">
https://www.icann.org/privacy/policy
</a>) and the website Terms of Service (<a href="
https://www.icann.org/privacy/tos" rel="noreferrer" target="_blank">
https://www.icann.org/privacy/tos
</a>). You can visit the Mailman link above to change your membership
status or configuration, including unsubscribing, setting digest-style
delivery or disabling delivery altogether (e.g., for a vacation), and
so on.<br>
</blockquote></div>
In April we announced that the manufacturer of our hardware security modules (HSMs) will cease production of the devices https://mm.icann.org/pipermail/root-dnssec-announce/2023/000157.html.
As noted in that communication, we continued with our previously announced plans to begin the first phases of a KSK rollover. We generated a new KSK at the KSK Ceremony 49 in April, and plan to replicate the KSK to the second facility in the upcoming KSK Ceremony 50 this week.
In the past few months we've procured Keyper HSMs to both meet our replacement schedule and provide additional spare units. We've been engaging HSM manufacturers to identify a new vendor and collaborating with our root zone management partner, Verisign, who is also impacted in relation to management of the root zone ZSK. The operational considerations for the ZSK differ from the KSK, particularly given the need for online day-to-day signing, but the security of the root zone relies on the robustness of all of these parts.
In light of the uncertainty surrounding the future configuration of the HSMs, we have decided to not immediately update the root zone trust anchor files with the digest of KSK-2023 immediately following Ceremony 50. There is a strong likelihood we will seek to generate a new KSK on a new HSM platform once operationalized, which will cause us to abandon the recently generated KSK. We will however retain the recently generated KSK for now should those plans not pan out in a suitable time frame.
Potential options are being actively evaluated, and we expect to have developed a preferred remediation approach in the coming months. While we don't have all the answers at this time, we encourage questions and feedback from trusted community representatives and other interested observers. This input will help inform our future planning.
James Mitchell
Director, IANA Technical Services
