IETF Logo Mail Archive

Re: [DNSOP] HSMs was Re: I-D Action:draft-ietf-dnsop-rfc4641bis-01.txt

Paul Wouters <paul@xelerance.com> Tue, 21 April 2009 17:58 UTC

Return-Path: <paul@xelerance.com>
X-Original-To: dnsop@core3.amsl.com
Delivered-To: dnsop@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id C11AF3A6980 for <dnsop@core3.amsl.com>; Tue, 21 Apr 2009 10:58:33 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.336
X-Spam-Level:
X-Spam-Status: No, score=-2.336 tagged_above=-999 required=5 tests=[AWL=0.263, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Te-M6dRIofd9 for <dnsop@core3.amsl.com>; Tue, 21 Apr 2009 10:58:33 -0700 (PDT)
Received: from newtla.xelerance.com (newtla.xelerance.com [193.110.157.143]) by core3.amsl.com (Postfix) with ESMTP id BF73C3A6AD0 for <dnsop@ietf.org>; Tue, 21 Apr 2009 10:58:32 -0700 (PDT)
Received: from tla.xelerance.com (tla.xelerance.com [193.110.157.130]) by newtla.xelerance.com (Postfix) with ESMTP id 242505705C; Tue, 21 Apr 2009 13:59:49 -0400 (EDT)
Date: Tue, 21 Apr 2009 13:59:49 -0400
From: Paul Wouters <paul@xelerance.com>
To: Edward Lewis <Ed.Lewis@neustar.biz>
In-Reply-To: <a06240807c61393343ac7@[10.31.200.142]>
Message-ID: <alpine.LFD.1.10.0904211356410.26971@newtla.xelerance.com>
References: <20090306141501.4BA2F3A6B4B@core3.amsl.com> <49EDA81E.2000600@ca.afilias.info> <a06240805c6138a622949@[10.31.200.142]> <82iqkykq10.fsf@mid.bfk.de> <a06240807c61393343ac7@[10.31.200.142]>
User-Agent: Alpine 1.10 (LFD 962 2008-03-14)
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset="US-ASCII"; format="flowed"
Cc: dnsop@ietf.org
Subject: Re: [DNSOP] HSMs was Re: I-D Action:draft-ietf-dnsop-rfc4641bis-01.txt
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsop>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 21 Apr 2009 17:58:33 -0000

On Tue, 21 Apr 2009, Edward Lewis wrote:

> Rolling a key is much less problematic (especially ZSKs) than having to clean 
> up a "hijacked" delegation.  Even a KSK isn't that bad - if the parent is 
> signed and I never promise my KSK as an SEP.

Then you put your vulnerability period during emergency key rollover in the
hands of the RRSIG lifetime of the parent. That lifetime is probably even
longer then the time for the attack(er) to make it to CNN's broadcast that
hopefully warns your custmers.

> This isn't a "death-knell" for HSMs in my mind.  There are environments where 
> they are useful.  It's just in an environment which already has a lot of 
> "fortification" an HSM may not be an improvement, other than to claim "we do 
> it."

I do agree mostly with this statement. See previous email.

Paul

v2.23.0 | Report a Bug | By Email