On Oct 1, 2014, at 2:15 PM, Jakob Schlyter <jakob@kirei.se> wrote:
On 1 okt 2014, at 23:00, Michael StJohns <msj@nthpermutation.com> wrote:
Having two keys - in the trust anchor set - should be the minimum steady state. It means that you can compromise one of them and still recover without needing to do a full trust reboot.
That only makes sense if you maintain and protect the keys separately, something that comes with a considerable cost. We did considering this when the current Root DNSSEC was engineered, and IIRC the cost/benefit analysis did not justify such a scheme.
With all due respect, I'd like to see those numbers. The cost is approximately "have an extra HSM stored somewhere where the other HSMs are not". I'm not sure how expensive that can be relative to "fly a bunch of folks around twice a year for the ceremonies", much less relative to "if we needed it, we could show people we had planned for it". --Paul Hoffman