James Mitchell via ksk-rollover <ksk-rollover@icann.org> wrote: > We were starting our planning for the next KSK rollover in 2020 when > the pandemic forced us to alter our plans. ... > considering a return to normal operations for KSK ceremonies. Another > key consideration will also be both the ability and willingness of > other participants to travel - even when ICANN updates its corporate > policy we will need a quorum of third-party participants (TCRs, staff, > auditors, etc.) to be present as well. While I think that we need to do the next roll-over as per current proceedures, I wonder if/how we could discuss changes to the proceedures to make the KSK rollover less vulnerable to world events. For instance, if/when we move to elliptic curve for the root, we might be able to make use of threshold modes. draft-hallambaker-threshold-06. How exactly we do this, I don't exactly know yet, but the point is that we the math lets us generate/maintain keys in multiple locations, and generate signatures which are then combined without having to be in one place. There is an increasing push to embed device identities keys in everything, and that requires maintenance of hundreds of private PKIs in the industry. The DNSSEC KSK is a very public and very much gold-plated process that the industry looks to. Not necessarily because it is the best or most secure, but because it's the most visible example to emulate. Can we get an equivalent or better level of security, at a lower cost? (in terms of Dollars, CO2, and sensitivity to world situation) Can the result become exemplar? -- ] Never tell me the odds! | ipv6 mesh networks [ ] Michael Richardson, Sandelman Software Works | IoT architect [ ] mcr@sandelman.ca http://www.sandelman.ca/ | ruby on rails [