On 2 aug 2010, at 16.51, Jeffrey Schiller wrote:
Does the root KSK exist in a form that doesn't require the HSM to
re-join, or more to the point if the manufacturer of the HSM fails, is
it possible to re-join the key and load it into a different vendor's
HSM?
With the assistance of the
On 2 aug 2010, at 08.30, Peter Gutmann wrote:
For the case of DNSSEC, what would happen if the key was lost? There'd be a
bit of turmoil as a new key appeared and maybe some egg-on-face at ICANN, but
it's not like commercial PKI with certs with 40-year lifetimes hardcoded into
every
On 31 jul 2010, at 08.44, Peter Gutmann wrote:
Apparently the DNS root key is protected by what sounds like a five-of-seven
threshold scheme, but the description is a bit unclear. Does anyone know
more?
The DNS root key is stored in HSMs. The key backups (maintained by ICANN) are
encrypted
- https://www.iana.org/dnssec/icann-dps.txt.
jakob (member of the Root DNSSEC Design Team)
--
Jakob Schlyter
Kirei AB - http://www.kirei.se/
-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography