Hello, It's been 3.5 years since the root KSK roll (2018-10-11). Since the idea was to roll it every 5 years, I guess that preparation for the next roll should be starting right? What's the status of that? Cheers, -- Shane
Hi Shane, Thanks for the question. We were starting our planning for the next KSK rollover in 2020 when the pandemic forced us to alter our plans. We have hit pause on anything beyond essential activities during key ceremonies until we can reliably resume travel and have our typical gatherings in the KSK facilities. The minimum ceremonies held over the past 2 years have been activities that cannot wait such as quarterly ZSK signing. We consider for KSK generation it is more critical to have in-person observation. We’d also like to undertake activities like refreshing the RKSH credentials as part of these deferred processes too. As of today, ICANN is disallowing travel and arranging community meetings apart from some very narrow exceptions. If current trends continue, I am hopeful that will be relaxed soon and we can start considering a return to normal operations for KSK ceremonies. Another key consideration will also be both the ability and willingness of other participants to travel - even when ICANN updates its corporate policy we will need a quorum of third-party participants (TCRs, staff, auditors, etc.) to be present as well. Hope this helps clarify our current thinking, let us know if you have any thoughts. Thanks, James On 3/11/22, 3:17 PM, "ksk-rollover on behalf of Shane Kerr via ksk-rollover" <ksk-rollover-bounces@icann.org on behalf of ksk-rollover@icann.org> wrote: Hello, It's been 3.5 years since the root KSK roll (2018-10-11). Since the idea was to roll it every 5 years, I guess that preparation for the next roll should be starting right? What's the status of that? Cheers, -- Shane
James Mitchell via ksk-rollover <ksk-rollover@icann.org> wrote: > We were starting our planning for the next KSK rollover in 2020 when > the pandemic forced us to alter our plans. ... > considering a return to normal operations for KSK ceremonies. Another > key consideration will also be both the ability and willingness of > other participants to travel - even when ICANN updates its corporate > policy we will need a quorum of third-party participants (TCRs, staff, > auditors, etc.) to be present as well. While I think that we need to do the next roll-over as per current proceedures, I wonder if/how we could discuss changes to the proceedures to make the KSK rollover less vulnerable to world events. For instance, if/when we move to elliptic curve for the root, we might be able to make use of threshold modes. draft-hallambaker-threshold-06. How exactly we do this, I don't exactly know yet, but the point is that we the math lets us generate/maintain keys in multiple locations, and generate signatures which are then combined without having to be in one place. There is an increasing push to embed device identities keys in everything, and that requires maintenance of hundreds of private PKIs in the industry. The DNSSEC KSK is a very public and very much gold-plated process that the industry looks to. Not necessarily because it is the best or most secure, but because it's the most visible example to emulate. Can we get an equivalent or better level of security, at a lower cost? (in terms of Dollars, CO2, and sensitivity to world situation) Can the result become exemplar? -- ] Never tell me the odds! | ipv6 mesh networks [ ] Michael Richardson, Sandelman Software Works | IoT architect [ ] mcr@sandelman.ca http://www.sandelman.ca/ | ruby on rails [
participants (3)
-
James Mitchell -
Michael Richardson -
Shane Kerr