Hi Mike, Section 6.5 of the Root Zone DPS [1] states that a key rollover will be scheduled on or after five years. At 08:58 18-09-2014, Michael StJohns wrote:
So a good place to start IMHO is NIST SP800-57 Part 1, Rev 3, Section 5.3.4 Cryptoperiods for Asymmetric Keys.
Other places to look are:
a) What is the expected EOL of the hardware currently used for root signing?
That would be at least five years.
i) Is there a transition plan for transition to new hardware?
In my opinion that was to be covered by the key rollover.
b) What affect on the overall security of the system does transition of personnel have? E.g. replacement of ICANN personnel involved with the KSK, replacement of community representatives? Are there exploitable attack surfaces?
I'll skip this one.
e) Can any of the above be mitigated through a single KSK rollover? Through regularly scheduled KSK rollovers?
I am one of the Crypto Officers (West Coast). The key rollover process has never been exercised. The logistics is non-trivial. I raised the question of a KSK rollover previously with ICANN as there isn't any operational experience for some parts of the DPS. Regards, S. Moonesamy 1. https://www.iana.org/dnssec/icann-dps.txt