Erwin Lansing via ksk-rollover <ksk-rollover@icann.org> wrote: > With regards to online standby keys, it needs to be seen in a holistic > way. What threats or scenarios are those keys trying to mitigate? Do > they actually provide the security we think they do? E.g. if the active > and standby keys are generated in the same HSM, it is no protection > from an HSM compromise. What new vulnerabilities do published standby > keys pose? With all the lessons learned since 2010, let’s go back to > defining the problem we’re trying to solve, rather than having standby > keys as a solution looking for a problem. Pre-published keys let us embed anchors into devices/firmware that might sit on shelves/in boxes for a few years. It also lets us install operating systems that are not the most recent (a Long-Term-Support) in order to reproduce systems that in production. Of course, we want to update these things with patches, but that requires DNS, and if we are going to take the view that DNSSEC should always be on, then we need it to be on during patching. That's the problem statement. (and... there are solutions other than pre-published keys.) -- Michael Richardson <mcr+IETF@sandelman.ca>, Sandelman Software Works -= IPv6 IoT consulting =-