There are a lot of work going on in this area, including how to use secure DNS
to associate the key that appears in a TLS server's certificate with the the
intended domain name [1]. Adding HSTS to this mix does make sense and is
something that is discussed, e.g. on the keyassure mailing list [2]
On 2 aug 2010, at 08.30, Peter Gutmann wrote:
> For the case of DNSSEC, what would happen if the key was lost? There'd be a
> bit of turmoil as a new key appeared and maybe some egg-on-face at ICANN, but
> it's not like commercial PKI with certs with 40-year lifetimes hardcoded into
> every br
On 2 aug 2010, at 16.51, Jeffrey Schiller wrote:
> Does the root KSK exist in a form that doesn't require the HSM to
> re-join, or more to the point if the manufacturer of the HSM fails, is
> it possible to re-join the key and load it into a different vendor's
> HSM?
With the assistance of the ve
On 1 aug 2010, at 16.43, Thierry Moreau wrote:
> Technically, the USG requested FIPS-140-2 level 4 HSM technology for the DNS
> root signing gear. This implies a single source, with a very inflexible user
> interface (no special personalization of the HSM for the DNSSEC project). The
> threshol
On 31 jul 2010, at 08.44, Peter Gutmann wrote:
> Apparently the DNS root key is protected by what sounds like a five-of-seven
> threshold scheme, but the description is a bit unclear. Does anyone know
> more?
The DNS root key is stored in HSMs. The key backups (maintained by ICANN) are
encrypte
.
> Is there an emergency KSK rollover strategy?
Yes, please read the DPS - https://www.iana.org/dnssec/icann-dps.txt.
jakob (member of the Root DNSSEC Design Team)
--
Jakob Schlyter
Kirei AB - http://www.kirei.se/
-