August Approaching


As August is getting close, I was wondering whether the ETA for the signing ceremony of August 1st will be satisfied or not. What needs to be done in this ceremony is: Signing of X3 and X4 by the ISRG Root X1 and issuance and signing of two new ECDSA intermediates. Those seem to me like they need a lot of planning ahead. Is there any such plan? Or will the ETA change?


I’m not sure if “planning” is the tricky bit. At least, not technical planning.

If I was doing this work for the private CA I control, I’d estimate it’s maybe 1-2 hours including any time spent reading documentation and fixing goofs if I screw up. So I would not expect to do a lot of planning.

For a public CA it’s mostly about following the procedures which is always harder the first time. The DNS root publishes the notes of the people doing their signing ceremony (which signs all of DNSSEC) and it took them many attempts before it started going smoothly without little technical hiccups everywhere. I presume ISRG won’t be publishing such notes, since they’re a bit embarrassing and no other CA does it. I guess you can try to “dry run” to some extent, but there will be a lot of steps that involve systems nobody is supposed to touch at all outside of this ritual, so you can’t really check those work until you try them for real.

Here’s the most recent DNS root signing notes for comparison:

You can see there are a lot of steps that involve humans reading things like “frozen emphatic dirigible semantics niner zulu kilo” to each other when for a private CA you’d just copy-paste with the mouse. The ceremony at ISRG will be simpler, but still needs to bring multiple humans into the loop as much as possible in order to trust the results. With practice this gets a bit smoother, but it’s mostly by actually doing it more, not from planning.


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.