Re: [DNSOP] HSMs was Re: I-D Action:draft-ietf-dnsop-rfc4641bis-01.txt

[Peter Koch <pk@DENIC.DE>]

On Tue, Apr 21, 2009 at 09:50:53PM +0200, Shane Kerr wrote:

> When we looked at the problem of disgruntled or bribed employees, HSM
> (or the equivalent) was the only logical answer. Otherwise the private
> key can be copied off, probably without your knowledge, by trusted staff.
> 
> Not necessary in all scenarios, clearly! But I think a paragraph or two
> in the RFC to alert people to the possibility makes sense.

in an attempt to summarize and give our editors some guidance, is it OK
to read

o the protection of the key against (unauthorized) copying should be
  weighed against the chance of detection, the remaining window of
  opportunity for the attacker and the "cost" of rolling the (compromised)
  key.

o the WG believes that the use of HSMs for DNSSEC KSKs is useful {is
  that useful as in "RECOMMENDED"?} for a certain type of zones ("high
  profile"?) to minimize the risk of an unnoticed key compromise (copy).

o HSMs for ZSKs might be less efficient (as in signatures/second) and
  effective, since the ease of automation generally preferred for this
  type makes the attacker's job easier (you might not be able to copy
  the key, but you might be able to get a valid signature on arbitrary data).

The term "HSM", though, doesn't imply any particular security level
unless some certification is provided.  If the WG would like to make
recommendations here, we should keep in mind who our target audiences are
and how to serve an international readership, especially if the to-be-BCP
should make it into or be referenced by some RFP type document.

-Peter