Hi Tomofumi, At 21:41 21-09-2014, Tomofumi Okubo wrote:
CAs deal with these risks by establishing and implementing rigorous security controls around key management and undergo third party audits to verify that the controls remain effective and are actually followed. This is kind of funny but they also transfer this risk by buying insurance but I'm not sure this helps. Certainly not applicable to us.
I think the huge difference between the CA business and Root DNSSEC is that there is no going out-of-business for Root DNSSEC. It doesn't matter how ugly it gets, we have no option but to recover and keep on providing the service at all costs.
Thanks for the above explanation. It seems that the CA business is being conflated with Root DNSSEC. There is supposed to be redundancy as part of the DNSSEC practice to reduce the risks. The HSMs are offline. The risk there is physical access [1]. An emergency roll-over could, in simple terms, be when a private key is lost or compromised. A planned roll-over reduces the likelihood of that happening. The reluctance to do that planned roll-over is probably because: (a) It has never been done before. (b) There will be an operational impact. It is difficult to assess (b) because of (a). What there is now is "the root key" [2]. It is not a good idea, in my opinion, to have "the root key"[3]. Regards, S. Moonesamy 1. I'll skip a discussion of that. 2. Credits to Michael StJohns 3. I am aware that it is a shared key.