Know anything about this lingo?
By Rolling the KSK, ICANN implies that a new cryptographic public and private key pair will be generated and the private key will be distributed to internet service providers, enterprise network administrators, and Domain Name System (DNS) resolver operators...
Some. About four years or so ago, it was discovered the cryptography they were using to sign websites was not as secure as they thought. They set about creating the rollout of a plan to increase the security of those encryption certificates so that when you connect to a HTTPS (secure) website, it actually IS secure. . . and they were supposed to have it done originally by 2016, but it hasn't been done yet.
There will be a public key which allows us USERS and everyone who needs to decrypt the portion of the certificate we need to see, and an owners'/issuer's key. . . that is the portion that assures the certificate of security is authentic. . . at least until some bad guys figure out how to spoof them. . . which should take a long time.
Evidently, they are FINALLY rolling the change over out this past weekend and making the new certificates available so we can be assured that when we connect to our banks, use a credit card on line, etc., it truly IS secure once the private keys are in place. It SHOULD be transparent to all of us users, although I expect to see some "The certificate for this website is expired or outdated" alerts.