On Thu, Nov 06, 2008 at 12:06:30PM +0100, Florian Weimer wrote:
10. The organization that generates the root zone file must sign the file and therefore must hold the private part of the zone signing key.
or
10. The organization that generates the root zone file must have unfettered access to the zone signing key components.
The second version seems to exclude storing the ZSK in an HSM. The first version is more ambiguous. In both cases, I don't quite see what the statement is supposed to mean. Does it advise against the introduction of yet another layer of indirection, by requiring that the organization which makes the final, technical content decision on the root zone (the "generator") also creates the digital signatures?
--
the first statement is an amplification ... the added text is "...and therefore..." eg. the org must hold the private key if it is going to sign the zone. the second actually does no preclude an HSM, but does acknowledge the NoI requirement that the administrator must have access to the signing keys (both K&Z, public and private). --bill