Hello David, On Sun, Sep 21, 2014 at 11:05 PM, David Conrad <david.conrad@icann.org> wrote:
AFAICT, there is an assumption that there are two modes of potential failure: (a) a catastrophic failure in which the only option is re-bootstrapping and (b) a non-catastrophic failure in which 5011 is a (potentially) viable solution.
Yes, I fully agree.
Is anyone arguing that we do not need to be prepared for (a), regardless of how unlikely it might be?
Given the importance of the service, we definitely need to be prepared for the worst case. Does it hurt to be overly prepared? Absolutely not.
What exactly does (b) look like? That is, what is a non-catastrophic failure that would necessitate a key roll?
Off the top of my head, circumstances for planned (non-catastrophic) rollover is something like "theoretical" algorithm compromise (white paper), change of recommended algorithm or key length, HSM vendor change and periodical KSK roll (if we choose to do so). It's more like a due diligence thing. Thanks! Tomofumi