On 2018-01-09 at 01:33, David Conrad wrote:
Mike,
On January 7, 2018 at 12:53:15 PM, Michael StJohns (msj@nthpermutation.com<mailto:msj@nthpermutation.com>) wrote:
If they key gets lost or compromised, my understanding is that we cannot use RFC 5011 to do the roll and must fall back to doing an out-of-band key rollover. We aren’t really exercising this under this iteration of the community defined KSK rollover plan.
Um. No.
As currently operationally practiced, I believe my statement is correct.
Your statement is correct. Adding has an emergency rollover key (as described by Mike) has been considered several times over the years, but has been rejected every time due to how the primary key is protected and maintained. No failure scenario has been identified where it wouldn't be possible to recover from a failure and still maintain public transparency. An emergency rollover key does not help us in the current design nor does it make the current key rollover easier. jakob