Hi David, At 07:29 22-09-2014, David Conrad wrote:
If the risk is physical access, then the implication of a planned rollover is that that physical access occurs (much) more frequently than if the physical access is limited to the times when emergency rollover is needed. As such, it actually increases the likelihood of it happening. What a planned rollover does do is provide more experience in the hopes that we can recover more easily.
Of course, if the private key is lost or compromised, you cant use 5011 for a rollover.
Based on publicly available information there is physical access every six months per KMF. I suggested to IKOS to have any planned key roll-over within that event. That is to avoid any additional physical access [1].
Repeating part of a previous message:
"(a) there is no operational reason that forces the key to change, (b) there is a risk no matter how slight that we might screw up, (c) it is expensive and time consuming to drag the necessary people into the secure facilities to spend the 2+ hours necessary to do the key handling appropriately, and (d), it is likely that rolling the key _will_ break things, the only question is how much and who will be affected."
Nobody will want to authorize an emergency roll-over as (a) and (b) will weigh heavily against doing that. I am personally aware of (c). I have never viewed the time as an issue; I am there to perform a task and I would like to see it done correctly. I agree that it is likely that rolling a key (d) will break things. The discussions (not on this mailing list) about that have been about how much will break and who will be affected. Regards, S. Moonesamy 1. http://data.iana.org/ksk-ceremony/18/KSK18-CAM1.mp4