the_order/docs/governance/procedures/root-key-ceremony.md

Root Key Ceremony Runbook

Date: Friday, December 5, 2025, 10:00–13:00 PT
Location: Secure facility (air‑gapped room), dual‑control entry
Status: Scheduled

---

Roles & Responsibilities

Ceremony Officer

• Leads the ceremony
• Ensures all steps are followed
• Documents all actions
• Coordinates with witnesses

Key Custodians (3)

• Multi-party control (2-of-3)
• Participate in HSM initialization
• Witness key generation
• Verify backup procedures

Auditor

• Independent verification
• Reviews all procedures
• Validates artifacts
• Signs off on completion

Witnesses (2)

• External observers
• Verify procedures
• Sign witness statements
• Maintain independence

Video Scribe

• Records the ceremony
• Documents all actions
• Creates tamper-evident archive
• Provides notarization support

---

Pre-Ceremony Checklist

Week Before

• Confirm all participants
• Verify secure facility access
• Test HSM equipment
• Prepare tamper-evident bags
• Schedule notary
• Prepare ceremony scripts

Day Before

• Room sweep & security check
• Device inventory
• Hash baseline of all equipment
• Verify air-gap status
• Test recording equipment
• Prepare backup media

Day Of (Pre-Ceremony)

• Final room sweep
• Verify all participants present
• Check recording equipment
• Verify HSM status
• Confirm air-gap maintained
• Begin video recording

---

Ceremony Steps

1. Room Sweep & Hash Baseline

Duration: 15 minutes

Actions:

1. Verify room is secure and air-gapped
2. Inventory all devices and equipment
3. Create hash baseline of all equipment
4. Document all serial numbers
5. Verify no unauthorized devices

Artifacts:

• Device inventory list
• Hash baseline document
• Room security checklist

2. HSM Initialization (M of N)

Duration: 30 minutes

Actions:

1. Initialize Thales Luna HSM
2. Configure multi-party control (2-of-3)
3. Verify key custodian access
4. Test HSM functionality
5. Document HSM configuration

Artifacts:

• HSM configuration document
• Key custodian access logs
• HSM test results

3. Generate Root Key

Duration: 45 minutes

Actions:

1. Generate root key pair in HSM
2. Verify key generation
3. Extract public key
4. Create Certificate Signing Request (CSR)
5. Document key parameters

Artifacts:

• Root key generation log
• Public key certificate
• CSR document
• Key parameters document

4. Seal Backups

Duration: 30 minutes

Actions:

1. Create encrypted backups
2. Seal backups in tamper-evident bags
3. Label all backups
4. Verify backup integrity
5. Store backups in secure location

Artifacts:

• Backup inventory
• Tamper-evident bag log
• Backup integrity checks
• Storage location record

5. Sign Issuing CA

Duration: 30 minutes

Actions:

1. Generate Issuing CA certificate
2. Sign with root key
3. Verify certificate signature
4. Publish certificate
5. Document certificate details

Artifacts:

• Issuing CA certificate
• Certificate signature verification
• Certificate publication record
• Certificate details document

6. Publish Fingerprints

Duration: 20 minutes

Actions:

1. Calculate certificate fingerprints
2. Publish fingerprints publicly
3. Create DID documents (offline)
4. Prepare for online publication
5. Document publication process

Artifacts:

• Fingerprint document
• DID documents
• Publication record
• Online bridge preparation

7. Record & Notarize Minutes

Duration: 30 minutes

Actions:

1. Compile ceremony minutes
2. Have all participants sign
3. Notarize minutes
4. Create tamper-evident archive
5. Store original minutes

Artifacts:

• Ceremony minutes
• Participant signatures
• Notarized document
• Tamper-evident archive
• Storage record

---

Artifacts Checklist

Required Artifacts

• Root CSR
• CP/CPS v1.0
• Offline DID documents
• Hash manifest
• Sealed tamper-evident bags
• Ceremony minutes
• Participant signatures
• Notarized document
• Video recording
• Backup media

Verification

• All artifacts present
• All signatures collected
• Video recording complete
• Backups verified
• Certificates published
• DID documents prepared

---

Post-Ceremony Tasks

Immediate (Day Of)

• Secure all artifacts
• Verify backup storage
• Publish fingerprints
• Notarize minutes
• Archive video recording

Week After

• Publish DID documents online
• Update certificate registry
• Distribute artifacts to custodians
• Create ceremony report
• Schedule audit review

Month After

• External audit review
• Update CP/CPS if needed
• Publish ceremony report
• Schedule next ceremony review
• Update procedures based on lessons learned

---

Security Measures

Physical Security

• Air-gapped room
• Dual-control entry
• No unauthorized devices
• Continuous video recording
• Witnessed procedures

Cryptographic Security

• HSM-protected keys
• Multi-party control
• Encrypted backups
• Tamper-evident seals
• Hash verification

Procedural Security

• Scripted procedures
• Independent verification
• Witnessed actions
• Documented steps
• Notarized records

---

Incident Response

Key Compromise

1. Immediately halt ceremony
2. Document incident
3. Notify all participants
4. Secure all artifacts
5. Begin investigation
6. Reschedule ceremony

Equipment Failure

1. Document failure
2. Verify no key exposure
3. Replace equipment
4. Resume from last verified step
5. Update procedures

Procedural Error

1. Document error
2. Assess impact
3. Correct if possible
4. Restart affected step
5. Update procedures

---

Contacts

Ceremony Officer

• Name: [TBD]
• Email: [TBD]
• Phone: [TBD]

Key Custodians

• Custodian 1: [TBD]
• Custodian 2: [TBD]
• Custodian 3: [TBD]

Auditor

• Name: [TBD]
• Email: [TBD]
• Phone: [TBD]

Witnesses

• Witness 1: [TBD]
• Witness 2: [TBD]

Video Scribe

• Name: [TBD]
• Email: [TBD]
• Phone: [TBD]

---

Revision History

Version	Date	Author	Changes
1.0	2025-11-10	Ceremony Officer	Initial runbook

---

Approval

Ceremony Officer: _________________ Date: _________

CISO: _________________ Date: _________

Founding Council: _________________ Date: _________