Dave Lawrence <tale@dd.org> wrote: > Michael Richardson writes: >> It seems that these issues exist if there are *any* keys generated >> before use, independantly of the number of keys. > Yes, exactly, which makes me scratch my head every time someone > proposes a list of pre-generated keys as the solution to this > problem. Interesting that we agree on a core assumption and then come to opposite conclusions :-) > It seems to me that what such a list gets you is lead time on cracking > future keys, or more things that end up useless in the event some > aspect of the whole process is found to have been faulty. This in > exchange for the busywork of changing the current key more frequently > without adding any real additional security in the process. I could live with a KSK being in use for a long period of time. But, I don't buy the lead time argument. If any of the N keys are vulnerable to brute force attack in the planned use of period, then all the keys are vulnerable to an adversary with 1/N more resources. Do you agree with this? Brute force is not the only attack: there are possible "Mission Impossible"-like exfiltration attacks against the HSM(s). Do these attacks depend upon how many keys there are? I don't think so. -- Michael Richardson <mcr+IETF@sandelman.ca>, Sandelman Software Works -= IPv6 IoT consulting =-