On Fri, 30 Jul 2010, Joe Abley wrote:
One observation from a non-crypto operations guy that was drawn into this project and has learnt a lot from having to implement the infrastructure designed by real crypto people: security is not always obvious. What seems like a flaw is often not, and what seems safe is often risky. There is a great deal to learn about security engineering, and what seems obvious is frequently not.
Trust is also based on perception, whether justified or not. The participants in the community wanted this kind of key ceremony and many ceremonial key holders for a variety of reasons. If the community changes its mind in the future, and wants a different kind of key ceremony and ceremonial key holders, then submit comments and propose changes. Whether Recovery Key Share Holders serve any useful role after the HSMs are initialized is one of those questions that lots of beer may help.