Web expert on his 'catastrophe' key for the internet
James Hess
mysidia at gmail.com
Fri Jul 30 04:55:38 UTC 2010
On Thu, Jul 29, 2010 at 10:23 PM, Franck Martin <franck at genius.com> wrote:
> Hmmm, from the interview of the British guy, the smart card seems to be in UK (he did a lapsus on it), which differs from what you describe.
You gotta read up on the whole ceremony and their statement of
practices: https://www.iana.org/dnssec/icann-dps.txt ... Crypto
Officers are different from Recovery Key Share Holders.
Crypto officers hold a key to a safe deposit box in the safe room
Safe 2, containing the operator cards.
"Tier 5"
Each vault contains a Tamper-evident bag (TEB) with a smart card
required to authenticate with the HSM to perform crypto operations.
Those cards don't leave the facility.
The operatorscards are only authentication tokens, the key is stored
on the hardware security modules.
Hardware security modules, and the laptop+DVD+USB Flash stick required
to operate them are stored in
tamper evident bags in Safe 1.
There are 7 crypto officers per site, but only 3 are required to
authenticate to the HSM to enable it to perform operations.
The recovery key share holders have a key to a bank safety deposit
box under _their own_ control,
containing a smartcard in tamper-evident bag, holding part of
the HSM's internal encryption key.
Each RKSH has to provide and maintain records of where they are
storing their smartcard.
7 RKSH per site, but only 5 are required for recovery operations.
--
-J
More information about the NANOG
mailing list