[dns-operations] [Ext] Re: Destroying HSMs

Warren Kumari warren at kumari.net
Thu Feb 1 18:42:38 UTC 2018

On Thu, Feb 1, 2018 at 12:23 PM, Kim Davies <kim.davies at iana.org> wrote:
> Quoting Tony Finch on Thursday February 01, 2018:
>> Is this going to be like the way GCHQ required the Guardian to destroy
>> some computers with Dremels and a degausser?
> We are bringing in a vendor who specializes in the secure destruction
> of such things. Bear in mind these HSMs were already formally zeroized
> at a previous ceremony, which makes the physical destruction of the
> cryptographic module essentially an exercise in security theatre.


> However, it didn't seem quite right to simply take the HSMs out of
> service as-is.

While it's sad to destroy a nice piece of kit, sometimes theater is
important -- this is, I feel, one of those times.


> kim
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
> dns-operations mailing list
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations

I don't think the execution is relevant when it was obviously a bad
idea in the first place.
This is like putting rabid weasels in your pants, and later expressing
regret at having chosen those particular rabid weasels and that pair
of pants.

More information about the dns-operations mailing list