S Moonesamy <sm+icann@elandsys.com> wrote: >> But, I started re-reading things because I was looking for pointers to >> documents *less* secure practices for CA key management. That's poor >> wording. >> let me try again: Practices for lower value assets than the KSK. > There may be some old documentation (it is around a decade ago) which might > be of help to the alternatives which were considered. The requirements for > the Root Zone are unique. I suggest assessing which of them you works for > your case. My cases are varied and not "mine"; I wish to point my readers towards one or more survey articles that will point them in the right direction. At the least, will permit them to form their own order of magnitude cost estimates for different solutions. So I would love to have those pointers. I tried to follow "SAS 70 Root Key Ceremony", but SAS 70 is a different ISO 9000-type process, so it's a meta-process relating to auditing, not relating to Root Key Ceremony. But, a useful thing to apply to your Root Key Ceremony. -- Michael Richardson <mcr+IETF@sandelman.ca>, Sandelman Software Works -= IPv6 IoT consulting =-