-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Op 16-07-13 17:49, Gavin Brown schreef: > > The devices we're evaluating are Safenet. Backups cannot be > automated as they require a physical hardware token. This is the > reason why we want to pre-generate all the keys, to avoid having to > perform regular backups manually. Instead we generate all the keys > we'll need, backup once, and forget about it.
Using the Safenet HSM's ourselves, knowing their complexity and hardware tokens, I wonder how you accommodate emergency key rollovers, hardware failure, and training for that. We have also generated all KSK's for the HSM lifetime, and have performed surprise rollovers to avoid people using our KSK as trust anchor (for which we have no procedure, we just tell everyone to use the root as trust anchor) But we do train our staff every half year in a test environment so nobody forgets the procedures and token pins for when we really need them. Since our ZSK's are not pre-generated for the lifetime of the HSM, during this training we also create new backups for our production HSM's, and restore HSM's in a test environment with existing backup's so we train our staff having to restore a HSM. We have had one occasion where we really needed this, as one of the 2 HSM's we use in production had a hardware failure, and we had to restore one of the 2 HSM's in our test environment to quickly replace that. So set and forget is not something you can rely on. - -- Antoin Verschuren Technical Policy Advisor SIDN Meander 501, PO Box 5022, 6802 EA Arnhem, The Netherlands P: +31 26 3525500 M: +31 6 23368970 Mailto: [email protected] XMPP: [email protected] HTTP://www.sidn.nl/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) iQEcBAEBAgAGBQJR5lA9AAoJEDqHrM883AgnllYH/itNada43MyLwE9VZf7mqsOu ymFidFyxvIVbFXe8gnM01txlfFjIh8t6mgCaz3fsHlWhQGgXhWal57ane02xGyW/ m7AN8/eDvOe4+hDeOTBOeYKkeVGZ0NGOYGZnxJLdWjXyZqfIQ+V/6CYXcrrKFuU1 UdDkjosCdfI1zDSTiILCYp/twMGI67MTGpAQFsn2wNlOYpi/xK5MBF+sRNxUqLwJ aiKaePPUXrYmdiSwUJh7wWy92CcECBBtheSUhLwV4O/GuXQ2UUirxMbcxRwT30DB YLyTAJec/FVR0Km4AzEikMcvnDi3H9Wu8cCaOcMYQdAJskBR5BO1pNzJBk3BK2I= =ZLTl -----END PGP SIGNATURE----- _______________________________________________ Opendnssec-user mailing list [email protected] https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
