On 13 Aug 2015, at 12:18, Dave Crocker wrote:
On 8/13/2015 9:14 AM, Stewart Bryant wrote:
Many of the interesting cases can be addressed by some mixture of
extreme key fragmentation with escrow fragmented across a set
of organizations that are both unable and unlikely to collude, but
would co-operate with an appropriate third party if presented with
the appropriate justification.
That's theory that could reasonably sound appealing. Are there
real-world examples of a model like this showing the desired
properties
that balance safety and utility?
Management of root zone DNSSEC Key Signing Key (KSK).
A copy of the system master key (SMK) that wraps backup copies of the
root zone KSK is distributed amongst independent "recovery key
shareholders" who do not share affiliation with each other or with any
of the root zone management partners. Each individual key share is
useless; a threshold number (I forget the value) of them must be brought
together in order for the SMK to be used. The application here is
disaster recovery in the event that all HSMs fail, and the root zone KSK
needs to be recovered from encrypted backups that are stored separately
from the HSMs on smart cards.
There has never been an occasion when these backups have been needed
(there have been no HSM failures), but the recovery procedures have been
lab-tested and the SysTrust audit includes the collection of
attestations (with photographic evidence, I think) that the SMK key
shares in their tamper-evident bags are still accessible by the
shareholders.
(I haven't been following this thread with enormous diligence, but this
seems like a real-world, well-documented, internet-related answer to
your question.)
Joe