Skip to content
Blog
Security Ceremonies: Why Secure Systems Are More Than Math

Security Ceremonies: Why Secure Systems Are More Than Math

May 14, 2026·
Lomig Mégard

A security protocol that ignores its human participants is an incomplete protocol. That is the central argument of Carl Ellison’s 2007 paper, Ceremony Design and Analysis.1 While the term ceremony was coined earlier by Jesse Walker of Intel,2 Ellison gave it analytical force where operators, witnesses, and physical interactions are part of the protocol, not peripheral to it. They deserve explicit design and analysis with a level of rigour similar to that applied to technical protocol work.

In PKI and infrastructure contexts, one often encounters the narrower term key ceremony, referring specifically to procedures around generating, loading, rotating, or retiring cryptographic keys.3 Both terms are used throughout this blog, though I am inclined towards security ceremony because it better captures the essence of these procedures.

Looking beyond cryptography and hardware

Cryptography solves a specific problem: it makes it mathematically hard to forge a signature or read a message without the right key. Hardware security modules solve an adjacent problem: they make it physically hard to extract a key from a tamper-resistant device. However, neither solves the broader problem of proving that the right actions happened, in the presence of the right people, under the right conditions. This raises further questions: Who authorised this key to be generated? Who was in the room? Was the device the one expected; unmodified and unsealed? Was the process fully followed, or were steps skipped under time pressure? Could anyone have coerced the operator?

These questions do not have mathematical answers. Rather, they require human attestation, role separation, and evidence to prove that the procedure was actually followed.

In addition, there is a deeper issue: security policy cannot be built into equipment alone; people define the conditions of use. A device, however secure, can only enforce a policy humans have communicated to it. That handover, whether treated as one or not, “can never be a pure protocol and therefore must always be a ceremony,”1 as Ellison puts it. These human steps are not superfluous; they address the questions that cryptography cannot, and demonstrate how security policy is made real.

What is a ceremony?

A ceremony is more than running a script. It includes the people, channels, and records required to make sensitive operations trustworthy and reviewable.

What a ceremony produces is not only an outcome, but also evidence: who was present, what was done, and what each participant attests to.

These procedures are ritual-like: they are repeated, structured interactions through which people and systems perform prescribed actions in a particular order.4 That structure matters because ceremonies are carried out by people, not idealised actors. In practice, this means explicit roles for operators, witnesses, and auditors, along with scripted steps, logged actions, and signed attestations. Every decision should be traceable. Every participant should be accountable.

A ceremony must also account for something that protocol design often abstracts away: humans do not behave like machines. People get tired, skip checks, interpret instructions differently, and optimise for speed under pressure. A well-designed ceremony does not depend solely on diligence. Rather, it allows us to reduce ambiguity, constrain unsafe choices, and leave a record that can be reviewed afterwards.

The IANA DNSSEC root zone signing ceremony is the most visible example of this practice. It is held quarterly in secure facilities on both US coasts, involves cryptographic officers and recovery key shareholders, and is livestreamed for public scrutiny.5 This is not because the cryptography requires it, but because the trust model does.6

Remember, the purpose of a ceremony is to establish trust, not to manage technical difficulty.

The origins

By the time the concept was formally defined in 2007, the practice was already decades old. The rise of PKI in the 1990s and the need to bootstrap root certificate authorities created a practical necessity: organisations had to prove, to auditors as well as to each other, that their most sensitive keys were generated correctly and never exposed.7 Informal procedures were written down, roles were assigned, and witnesses were invited.

The DNSSEC root zone signing ceremony, institutionalised around 2010, became the most visible public expression of this approach.5 But dual custody, chain of evidence, and witnessed handoffs are older than computing itself. By 1981, NSA documentation was already describing long-established practices such as scheduled key changes, strict key-handling procedures, and formal controls around the storage and distribution of key material.8 These practices existed more as operational craft than as first-class system design.

The industry has now learned to take ceremonies seriously, but still lacks simple, reusable ways to describe them, execute them, and review what actually happened.

This is where Rite steps in.

  1. Carl Ellison, Ceremony Design and Analysis, IACR Cryptology ePrint Archive, Report 2007/399, https://eprint.iacr.org/2007/399↩︎ ↩︎

  2. UPnP Forum, UPnP Security Ceremonies Design Document (2003), https://upnp.org/specs/sec/UPnP-sec-UPnPSecurityCeremonies-v1.pdf. The document notes that “the term ceremony was coined by Jesse Walker of Intel Corporation.” ↩︎

  3. Wikipedia contributors, “Key ceremony,” Wikipedia, accessed May 14, 2026, https://en.wikipedia.org/wiki/Key_ceremony↩︎

  4. Giampaolo Bella, Jacques Ophoff, Karen Renaud, Diego Sempreboni, and Luca Viganò, “Perceptions of Beauty in Security Ceremonies,” Philosophy & Technology 35 (2022): 72, https://doi.org/10.1007/s13347-022-00552-0; Giampaolo Bella, Karen Renaud, Diego Sempreboni, and Luca Viganò, “An Investigation into the ‘Beautification’ of Security Ceremonies,” in Proceedings of the 16th International Joint Conference on e-Business and Telecommunications (ICETE 2019) (2019), 125–36, https://doi.org/10.5220/0007921501250136↩︎

  5. Internet Assigned Numbers Authority (IANA), “Root KSK Ceremonies,” https://www.iana.org/dnssec/ceremonies; ICANN / IANA, Root Zone DNSSEC KSK Ceremonies Guide (2010), https://www.iana.org/archive/root-dnssec-launch/files/draft-icann-dnssec-ceremonies-01.txt; ICANN, Root KSK Protection and Key Ceremonies (2017), https://www.icann.org/en/system/files/files/presentation-root-ksk-protection-key-ceremonies-13may17-en.pdf ↩︎ ↩︎

  6. APNIC Blog, “Cryptography, Rituals and Transparency: The World of Key Ceremonies” (2021), https://blog.apnic.net/2021/07/19/cryptography-rituals-and-transparency-the-world-of-key-ceremonies/↩︎

  7. Microsoft Blog, “Basics and History of PKI” (2012), https://learn.microsoft.com/en-us/archive/blogs/option_explicit/basics-and-history-of-pki↩︎

  8. Wikipedia contributors, “NSA encryption systems,” Wikipedia, accessed May 14, 2026, https://en.wikipedia.org/wiki/NSA_encryption_systems; National Security Agency, A History of COMSEC, Volume II, https://www.nsa.gov/portals/75/documents/news-features/declassified-documents/cryptologic-histories/history_comsec_ii.pdf↩︎