Paul, On Oct 1, 2014, at 4:03 PM, Paul Hoffman <paul.hoffman@vpnc.org> wrote:
On Oct 1, 2014, at 3:48 PM, Tomofumi Okubo <tomofumi.okubo@gmail.com> wrote:
It will roughly cost around 500k to set up one key ceremony room but it's more about the overhead to manage the facilities. I propose that this additional key need a new key ceremony room;
I presume you meant to write “didn’t propose”
in fact, that idea hadn't even occurred to me. Create the key in one of the current rooms, then drive the HSM to some other location and plant it there.
It might be useful to describe the requirements for the “other location”. Gaining unauthorized access to that HSM would be “bad”, so we’re probably not talking about storing the HSM under somebody’s bed. It might not need the full controls used in the KSF, but presumably there would need to be non-trivial controls (as well as controls related to transfer).
Again, I'm only proposing this because my reading of 5011 makes it seem like having a second active KSK would be better if one of the KSKs is accidentally or purposely made unusable. Mike seems to agree with this; do others disagree?
Having more than one key would be good. Having more than one vendor of HSM would be good. If we’re looking at using the initial key roll as a way of making changes to the way the root key(s) is(are) managed, it might be useful to enumerate the good things and bad things. Regards, -drc