Hi Paul, I do like the idea of having a backup key but I'm still not convinced that the backup key requires a separate key ceremony room. The entire site getting physically compromised is not the only scenario and I don't think it has the highest probability. Instead, most likely, the issue would be a flaw in the HSM or a flaw in the algorithm or an insufficient key strength. An alternate site is not required to mitigate these risks. You just need a backup key with different specs on different HSMs. I believe these are more important before adding an alternate site. Cheers, Tomofumi On Wed, Oct 1, 2014 at 4:03 PM, Paul Hoffman <paul.hoffman@vpnc.org> wrote:
On Oct 1, 2014, at 3:48 PM, Tomofumi Okubo <tomofumi.okubo@gmail.com> wrote:
It will roughly cost around 500k to set up one key ceremony room but it's more about the overhead to manage the facilities.
I propose that this additional key need a new key ceremony room; in fact, that idea hadn't even occurred to me. Create the key in one of the current rooms, then drive the HSM to some other location and plant it there. Rent a party bus for the participants so that they can watch the HSM the whole time. You can even have the HSM sign something at the new location to prove that it is the same key that was created at the first place.
Again, I'm only proposing this because my reading of 5011 makes it seem like having a second active KSK would be better if one of the KSKs is accidentally or purposely made unusable. Mike seems to agree with this; do others disagree?
--Paul Hoffman