The IANA key ceremony is pretty close to best practice: https://kimdavies.com/key-ceremony-primer

This is the second time today that I've seen reference to a "key ceremony", which I hadn't heard of before. Sure I expected root key holders to have some kind of formality around key management, but not a 5 hour event live-streamed on youtube! https://www.iana.org/dnssec/ceremonies/45

Right... because the more you lock the key down and try to secure it, the greater the risk something in your security will go wrong, and then you will lose it yourself. Losing the key is not as bad, though still catastrophic, from a corporate perspective. Imagine if Apple couldn't distribute a software update ever again. Much better to not invest in super-strong security that has that risk... but then you have an increased risk of theft...

It's almost like cryptographic signing keys are the modern day Ring of Power...

The Simpsons got it right: https://youtu.be/eU2Or5rCN_Y

that matches my experience of an unnamed large multinational datacentre company

to get to the floor needed to go through the multilayer security, id checks, etc

the cleaner had left their mop in one of the secure doors, bypassing most of it

That's not strictly true. At one point, my desk was next to the room that held the vault for one particular signing key. You'd have to get through the building security, through a room guarded by one access control mechanism, and then into a vault secured by a second mechanism. It wasn't guards and guns but it also seemd sufficient for the task at hand.

For a many million dollar key, a few armored robbers with guns would solve this problem. Or to quote xkcd: get the hammer

Depends on if you are concerned mostly about covert access or overt access. I'd argue the former is quite a bit more serious in the case that keys can be revoked online.

Depends how long they need it for.

"Hi, we have your family hostage for a week and if you tell anyone we have this key we'll ship you back parts"

More than enough time for a nation state backed actor to spread a lot of damage.

Yeah covert is the main issue - you need to be sure that dgacmu didn’t wander into the office one door over and grab a copy of the keys.

Some sort of read-only memory that logged how many times it had been read might help.

more like sleeper cell agents

“But the plans were on display…”

“On display? I eventually had to go down to the cellar to find them.”

“That’s the display department.”

“With a flashlight.”

“Ah, well, the lights had probably gone.”

“So had the stairs.”

“But look, you found the notice, didn’t you?”

“Yes,” said Arthur, “yes I did. It was on display in the bottom of a locked filing cabinet stuck in a disused lavatory with a sign on the door saying ‘Beware of the Leopard.”

That's kind of how I feel trying to access the text of this article. All I can see when I look at the page or view source is a bunch of executable code. You have to do quite a bit to be able to read this security warning.

The places that care store them in HSMs which few people have physical access to.