[168935] in North American Network Operators' Group

home help back first fref pref prev next nref lref last post

FW: Trusted Community Representation for Root KSK

daemon@ATHENA.MIT.EDU (Leo Vegoda)
Thu Feb 6 19:49:18 2014

From: Leo Vegoda <leo.vegoda@icann.org>
To: "nanog@nanog.org" <nanog@nanog.org>
Date: Thu, 6 Feb 2014 16:49:02 -0800
In-Reply-To: <5061C938-FBCE-4DE1-BD4A-E996A1DDC4D3@icann.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org

------=_NextPart_000_0065_01CF235B.5707D180
Content-Type: multipart/mixed;
	boundary="----=_NextPart_001_0066_01CF235B.5707D180"


------=_NextPart_001_0066_01CF235B.5707D180
Content-Type: text/plain;
	charset="US-ASCII"
Content-Transfer-Encoding: 7bit

Hi,
 
People on this list might also want to submit responses.
 
Regards,
 
Leo
 
 
From: dns-operations-bounces@mail.dns-oarc.net
[mailto:dns-operations-bounces@mail.dns-oarc.net] On Behalf Of Kim
Davies
Sent: Thursday, February 06, 2014 12:38 PM
To: DNS Operations
Subject: [dns-operations] Trusted Community Representation for Root KSK
 
Hi folks,
 
ICANN is currently performing a consultation on how to evolve the
participation of Trusted Community Representatives in the management of
the root key signing key. I think this consultation is of particular
interest to this group as ultimately these TCRs are there to instill
trust in the DNS operations community that the KSK is being managed in a
proper fashion.
 
I'd encourage you to provide feedback to this consultation - available
at
http://www.icann.org/en/news/public-comment/tcr-dnssec-key-signing-21jan
14-en.htm - by 11th February. It is important we have a model of TCR
participation that is satisfactory to the community.
 
For convenience, here are the terms of reference replicated:
 
Background
 
Since July 2010, the DNS Root Zone has been secured using DNSSEC[1]. The
model of using DNSSEC in the DNS Root Zone revolves around a "key
signing key" (KSK) that is managed by ICANN in two secure facilities.
Four times a year, a ceremony is conducted at these facilities to
perform operations involving the KSK. As a key part of this process, a
minimum of three from a pool of 21 trusted community representatives
(TCRs) attend each ceremony to enable access to the secure materials, to
witness the procedure, and to attest that the ceremony was conducted
properly[2].
 
Each ceremony is attended by ICANN staff, the TCRs, representatives of
the Root Zone Maintainer (Verisign), representatives of an independent
audit firm retained by ICANN to monitor the process, and often
additional external witnesses. Ceremonies are recorded by three audit
cameras and webcast online. A typical ceremony lasts approximately four
hours, and involves a process of temporarily removing the key signing
key from a safe and performing key-signing operations in a secure manner
following a formal script. The script is designed to perform each
operation in a transparent manner to ensure the key signing key is only
used for its proper purpose, and there is no ability for its contents to
be disclosed for other purposes. Materials from each ceremony - such as
the scripts, video recordings, and system output - are posted online[3].
 
De-briefings and discussions are conducted post-ceremony, where
participants discuss how to improve future ceremonies. This feedback
helps inform the evolution of the KSK ceremony to be both efficient and
effective, while ensuring maximum trust in how ceremonies are performed.
 
The TCRs were selected[4] from the global community based on a number of
criteria[5]. These selection criteria relate to the volunteers ability
to travel to ceremonies, conscientiously oversee the process, ensure
transparency in its operation, and ultimately contribute to the broader
community's trust that the private component of the key signing key has
not been compromised. The TCRs are privately funded volunteers who are
not reimbursed or compensated by ICANN for their participation nor their
expenses. The original TCR proposal was silent on the length of service
of individual TCRs.
 
Of the 21 TCRs, seven are credentialed as "crypto officers" (COs) for
each of the two facilities, and the remaining seven act as "recovery key
shareholders" who only participate in ceremonies in the event the
requisite number of COs are unable to participate or there is a need to
rebuild the KSK following an unforeseen event. Of the seven COs for each
facility, ICANN aims to have four attend each ceremony, with an absolute
minimum of three required to successfully perform a ceremony. Each
facility hosts two ceremonies per year, approximately once every six
months. In practice, a TCR will attend at minimum one ceremony per year,
and some will attend two in order to ensure sufficient attendance.
 
Of the initial pool of 21 TCRs, one has resigned and been replaced from
the pool of recovery key shareholders. No TCR has been removed owing to
the other three criteria for replacement in the TCR selection document,
relating to lack of integrity or trustworthiness; assumption of a
conflicting role within a root management organization; or being unable
to serve in their position.
 
Based on feedback from the current TCRs and our experience from the
first 14 ceremonies, we are reviewing what changes, if any, should be
made to the current model of TCR participation.
 
Comments
 
Comments are welcome on any aspect of the consultation, and specifically
on the following questions:
 
1. Is the current TCR model effectively performing its function of
ensuring trust in the KSK management process?
2. Is the current size of the TCR pool appropriate to ensure sufficient
participation in the ceremonies, while not overburdening the
availability of specific volunteers?
3. Should there be a minimum level of participation required of a TCR in
order to be considered to be successfully discharging their duties?
4. There is no standard provision to refresh the list of TCRs except
when they are replaced due to inability to effectively perform their
function. Should there be a process to renew the pool of TCRs, such as
using term limits or another rotation mechanism?
5. The current model does not compensate TCRs for their services in
order to ensure their independence from ICANN.
     a. Should the model of TCRs paying the costs of their participation
be retained?
     b. Would some form of compensation to offset the expenses incurred
by the TCRs detract from their independence in performing the role?
     c. If you support compensating TCRs for their expenses, are there
requirements or limitations on whom the funding organization should be?
 
Please send your comments to
comments-tcr-dnssec-key-signing-21jan14@icann.org
<mailto:comments-tcr-dnssec-key-signing-21jan14@icann.org> 
 
References
 
[1] http://www.root-dnssec.org
[2] https://www.iana.org/dnssec/icann-dps.txt
[3] http://data.iana.org/ksk-ceremony/
[4] http://www.root-dnssec.org/tcr/selection-2010/
[5]
http://www.root-dnssec.org/wp-content/uploads/2010/04/ICANN-TCR-Proposal
-20100408.pdf
 
 
kim
 

------=_NextPart_001_0066_01CF235B.5707D180
Content-Type: text/plain;
	name="ATT00001.txt"
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment;
	filename="ATT00001.txt"

_______________________________________________
dns-operations mailing list
dns-operations@lists.dns-oarc.net
https://lists.dns-oarc.net/mailman/listinfo/dns-operations
dns-jobs mailing list
https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
------=_NextPart_001_0066_01CF235B.5707D180--

------=_NextPart_000_0065_01CF235B.5707D180
Content-Type: application/pkcs7-signature; name="smime.p7s"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="smime.p7s"

MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIIRfzCCA7cw
ggKfoAMCAQICEAzn4OUX2Eb+j+Vg/BvwMDkwDQYJKoZIhvcNAQEFBQAwZTELMAkGA1UEBhMCVVMx
FTATBgNVBAoTDERpZ2lDZXJ0IEluYzEZMBcGA1UECxMQd3d3LmRpZ2ljZXJ0LmNvbTEkMCIGA1UE
AxMbRGlnaUNlcnQgQXNzdXJlZCBJRCBSb290IENBMB4XDTA2MTExMDAwMDAwMFoXDTMxMTExMDAw
MDAwMFowZTELMAkGA1UEBhMCVVMxFTATBgNVBAoTDERpZ2lDZXJ0IEluYzEZMBcGA1UECxMQd3d3
LmRpZ2ljZXJ0LmNvbTEkMCIGA1UEAxMbRGlnaUNlcnQgQXNzdXJlZCBJRCBSb290IENBMIIBIjAN
BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEArQ4VzuRDgFyxh/O3YPlxEqWu3CaUiKr0zvUgOShY
YAz4gNqpFZUyYTy1sSiEiorcnwoMgxd6j5Csiud5U1wxhCr2D5gyNnbM3t08qKLvavsh8lJh358g
1x/isdn+GGTSEltf+VgYNbxHzaE2+Wt/1LA4PsEbw4wz2dgvGP4oD7Ong9bDbkTAYTWWFv5ZnIt2
bdfxoksNK/8LctqeYNCOkDXGeFWHIKHP5W0KyEl8MZgzbCLph9AyWqK6E4IR7TkXnZk6cqHm+qTZ
1Rcxda6FfSKuPwFGhvYoecix2uRXF8R+HA6wtJKmVrO9spftqqfwt8WoP5UW0P+hlusIXxh3TwID
AQABo2MwYTAOBgNVHQ8BAf8EBAMCAYYwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUReuir/SS
y4IxLVGLp6chnfNtyA8wHwYDVR0jBBgwFoAUReuir/SSy4IxLVGLp6chnfNtyA8wDQYJKoZIhvcN
AQEFBQADggEBAKIOvN/i7fDjcnN6ZJS/93Jm2DLkQnVirofr8tXZ3lazn8zOFCi5DZdgXBJMWOTT
PYNJRViXNWkaqEfqVsZ5qxLYZ4GE338JPJTmuCYsIL09syiJ91//IuKXhB/pZe+H4N/BZ0mzXeuy
CSrrJu14vn0/K/O3JjVtX4kBtklbnwEFm6s9JcHMtn/C8W+GxvpkaOuBLZTrQrf6jB7dYvG+UGe3
bL3z8R9rDDYHFn83fKlbbXrxEkZgg9cnBL5Lzpe+w2cqaBHfgOcMM2a/Ew0UbvN/H2MQHvqNGyVt
bI+lt2EBsdKjJqEQcZ2t4sP5w5lRtysHCM4u5lCyp/oKRS+i8PIwggbNMIIFtaADAgECAhAG/fkD
lgOt6gAK6z8nu7obMA0GCSqGSIb3DQEBBQUAMGUxCzAJBgNVBAYTAlVTMRUwEwYDVQQKEwxEaWdp
Q2VydCBJbmMxGTAXBgNVBAsTEHd3dy5kaWdpY2VydC5jb20xJDAiBgNVBAMTG0RpZ2lDZXJ0IEFz
c3VyZWQgSUQgUm9vdCBDQTAeFw0wNjExMTAwMDAwMDBaFw0yMTExMTAwMDAwMDBaMGIxCzAJBgNV
BAYTAlVTMRUwEwYDVQQKEwxEaWdpQ2VydCBJbmMxGTAXBgNVBAsTEHd3dy5kaWdpY2VydC5jb20x
ITAfBgNVBAMTGERpZ2lDZXJ0IEFzc3VyZWQgSUQgQ0EtMTCCASIwDQYJKoZIhvcNAQEBBQADggEP
ADCCAQoCggEBAOiCLZn5ysJClaWAc0Bw0p5WVFypxNJBBo/JM/xNRZFcgZ/tLJz4FlnfnrUkFcKY
ubR3SdyJxArar8tea+2tsHEx6886QAxGTZPsi3o2CAOrDDT+GEmC/sfHMUiAfB6iD5IOUMnGh+s2
P9gww/+m9/uizW9zI/6sVgWQ8DIhFonGcIj5BZd9o8dD3QLoOz3tsUGj7T++25VIxO4es/K8DCuZ
0MZdEkKB4YNugnM/JksUkK5ZZgrEjb7SzgaurYRvSISbT0C58Uzyr5j79s5AXVz2qPEvr+yJIvJr
GGWxwXOt1/HYzx4KdFxCuGh+t9V3CidWfA9ipD8yFGCV/QcEogkCAwEAAaOCA3owggN2MA4GA1Ud
DwEB/wQEAwIBhjA7BgNVHSUENDAyBggrBgEFBQcDAQYIKwYBBQUHAwIGCCsGAQUFBwMDBggrBgEF
BQcDBAYIKwYBBQUHAwgwggHSBgNVHSAEggHJMIIBxTCCAbQGCmCGSAGG/WwAAQQwggGkMDoGCCsG
AQUFBwIBFi5odHRwOi8vd3d3LmRpZ2ljZXJ0LmNvbS9zc2wtY3BzLXJlcG9zaXRvcnkuaHRtMIIB
ZAYIKwYBBQUHAgIwggFWHoIBUgBBAG4AeQAgAHUAcwBlACAAbwBmACAAdABoAGkAcwAgAEMAZQBy
AHQAaQBmAGkAYwBhAHQAZQAgAGMAbwBuAHMAdABpAHQAdQB0AGUAcwAgAGEAYwBjAGUAcAB0AGEA
bgBjAGUAIABvAGYAIAB0AGgAZQAgAEQAaQBnAGkAQwBlAHIAdAAgAEMAUAAvAEMAUABTACAAYQBu
AGQAIAB0AGgAZQAgAFIAZQBsAHkAaQBuAGcAIABQAGEAcgB0AHkAIABBAGcAcgBlAGUAbQBlAG4A
dAAgAHcAaABpAGMAaAAgAGwAaQBtAGkAdAAgAGwAaQBhAGIAaQBsAGkAdAB5ACAAYQBuAGQAIABh
AHIAZQAgAGkAbgBjAG8AcgBwAG8AcgBhAHQAZQBkACAAaABlAHIAZQBpAG4AIABiAHkAIAByAGUA
ZgBlAHIAZQBuAGMAZQAuMAsGCWCGSAGG/WwDFTASBgNVHRMBAf8ECDAGAQH/AgEAMHkGCCsGAQUF
BwEBBG0wazAkBggrBgEFBQcwAYYYaHR0cDovL29jc3AuZGlnaWNlcnQuY29tMEMGCCsGAQUFBzAC
hjdodHRwOi8vY2FjZXJ0cy5kaWdpY2VydC5jb20vRGlnaUNlcnRBc3N1cmVkSURSb290Q0EuY3J0
MIGBBgNVHR8EejB4MDqgOKA2hjRodHRwOi8vY3JsMy5kaWdpY2VydC5jb20vRGlnaUNlcnRBc3N1
cmVkSURSb290Q0EuY3JsMDqgOKA2hjRodHRwOi8vY3JsNC5kaWdpY2VydC5jb20vRGlnaUNlcnRB
c3N1cmVkSURSb290Q0EuY3JsMB0GA1UdDgQWBBQVABIrE5iymQftHt+ivlcNK2cCzTAfBgNVHSME
GDAWgBRF66Kv9JLLgjEtUYunpyGd823IDzANBgkqhkiG9w0BAQUFAAOCAQEARlA+ybcoJKc4HbZb
Ka9Sz1LpMUerVlx71Q0LQbPv7HUfdDjyslxhopyVw1Dkgrkj0bo6hnKtOHisdV0XFzRyR4WUVtHr
uzaEd8wkpfMEGVWp5+Pnq2LN+4stkMLA0rWUvV5PsQXSDj0aqRRbpoYxYqioM+SbOafE9c4deHaU
JXPkKqvPnHZL7V/CSxbkS3BMAIke/MV5vEwSV/5f4R68Al2o/vsHOE8Nxl2RuQ9nRc3Wg+3nkg2N
sWmMT/tZ4CMP0qquAHzunEIOz5HXJ7cW7g/DvXwKoO4sCFWFIrjrGBpN/CohrUkxg0eVd3HcsRtL
SxwQnHcUwZ1PL1qVCCkQJjCCBu8wggXXoAMCAQICEAmikGzxxvIMBd9PYyGKsbkwDQYJKoZIhvcN
AQEFBQAwYjELMAkGA1UEBhMCVVMxFTATBgNVBAoTDERpZ2lDZXJ0IEluYzEZMBcGA1UECxMQd3d3
LmRpZ2ljZXJ0LmNvbTEhMB8GA1UEAxMYRGlnaUNlcnQgQXNzdXJlZCBJRCBDQS0xMB4XDTEyMDQx
OTAwMDAwMFoXDTE1MDQxOTEyMDAwMFowgZ0xCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9y
bmlhMRcwFQYDVQQHEw5NYXJpbmEgZGVsIFJleTE8MDoGA1UEChMzSW50ZXJuZXQgQ29ycG9yYXRp
b24gZm9yIEFzc2lnbmVkIE5hbWVzIGFuZCBOdW1iZXJzMQ0wCwYDVQQLEwRJQU5BMRMwEQYDVQQD
EwpMZW8gVmVnb2RhMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAsIUmGgavivswQIL8
JZT5Wgt+ngArvy8YrEUqVehgVTeefuv8Xcnf5Fe4gXakjLAV99amHl7fQd0i+K6pwHsQSNi5ffqd
z1xae39j7Apn8A64LatEuKlMhEKKGHp8z0KNQHp4U1zSTCrmda2Cp6orzKonYWw3hD6U4+uSTwVR
Hsar6LLXWskzrsWKfLzgDuGXXorTj/CsIfd1RqmSa9q/gQ8gWFf/gkkV0a9uSpLVyLEeltCV7krf
VJ01gCZbptxToKoqCHKR50YpmW9E66BlTeB33rL00gLfE2WrwiEm6t5f8NRelY82TMkQxxgR99p5
frIEx6XWhG0V4xs5TdMDEQIDAQABo4IDYzCCA18wHwYDVR0jBBgwFoAUFQASKxOYspkH7R7for5X
DStnAs0wHQYDVR0OBBYEFE4+04DSX9o5Qv6xycNaafTyRJVZMB8GA1UdEQQYMBaBFGxlby52ZWdv
ZGFAaWNhbm4ub3JnMA4GA1UdDwEB/wQEAwIFoDAdBgNVHSUEFjAUBggrBgEFBQcDBAYIKwYBBQUH
AwIwfQYDVR0fBHYwdDA4oDagNIYyaHR0cDovL2NybDMuZGlnaWNlcnQuY29tL0RpZ2lDZXJ0QXNz
dXJlZElEQ0EtMS5jcmwwOKA2oDSGMmh0dHA6Ly9jcmw0LmRpZ2ljZXJ0LmNvbS9EaWdpQ2VydEFz
c3VyZWRJRENBLTEuY3JsMIIBxQYDVR0gBIIBvDCCAbgwggG0BgpghkgBhv1sBAECMIIBpDA6Bggr
BgEFBQcCARYuaHR0cDovL3d3dy5kaWdpY2VydC5jb20vc3NsLWNwcy1yZXBvc2l0b3J5Lmh0bTCC
AWQGCCsGAQUFBwICMIIBVh6CAVIAQQBuAHkAIAB1AHMAZQAgAG8AZgAgAHQAaABpAHMAIABDAGUA
cgB0AGkAZgBpAGMAYQB0AGUAIABjAG8AbgBzAHQAaQB0AHUAdABlAHMAIABhAGMAYwBlAHAAdABh
AG4AYwBlACAAbwBmACAAdABoAGUAIABEAGkAZwBpAEMAZQByAHQAIABDAFAALwBDAFAAUwAgAGEA
bgBkACAAdABoAGUAIABSAGUAbAB5AGkAbgBnACAAUABhAHIAdAB5ACAAQQBnAHIAZQBlAG0AZQBu
AHQAIAB3AGgAaQBjAGgAIABsAGkAbQBpAHQAIABsAGkAYQBiAGkAbABpAHQAeQAgAGEAbgBkACAA
YQByAGUAIABpAG4AYwBvAHIAcABvAHIAYQB0AGUAZAAgAGgAZQByAGUAaQBuACAAYgB5ACAAcgBl
AGYAZQByAGUAbgBjAGUALjB3BggrBgEFBQcBAQRrMGkwJAYIKwYBBQUHMAGGGGh0dHA6Ly9vY3Nw
LmRpZ2ljZXJ0LmNvbTBBBggrBgEFBQcwAoY1aHR0cDovL2NhY2VydHMuZGlnaWNlcnQuY29tL0Rp
Z2lDZXJ0QXNzdXJlZElEQ0EtMS5jcnQwDAYDVR0TAQH/BAIwADANBgkqhkiG9w0BAQUFAAOCAQEA
VN4mVoZkm08GF7JKGVvt2zFb/aFODAeOjG85lmeIM9HtarJeTrFJ6ww+Xtui3k6KW+36ZNEkymAI
XmCwusEHEGCcTdJOHUkeS2euySQPZe7ztBD1e7UUmn1YOS0FbZZlLLkgDIsKtYbs637SVe7Oiyax
L+JrHiWao8AsnJyl5MuYh9OnuYJG30MdnPAuUeLhzpG3PfqaMYimVDjgjW4rlhW6TuDOmEHB+VQX
yy/izPxyibwR6Mn7VsaNJ35tkJBy+lhOG6QllfW2dqHg8R3/+a1eyyhKQMR2lz3EGmC5MtRGA0Ta
1tSgOaIAlvQfcmyyI6zZmi4ujjve0aPdaZQb8zGCA6YwggOiAgEBMHYwYjELMAkGA1UEBhMCVVMx
FTATBgNVBAoTDERpZ2lDZXJ0IEluYzEZMBcGA1UECxMQd3d3LmRpZ2ljZXJ0LmNvbTEhMB8GA1UE
AxMYRGlnaUNlcnQgQXNzdXJlZCBJRCBDQS0xAhAJopBs8cbyDAXfT2MhirG5MAkGBSsOAwIaBQCg
ggIFMBgGCSqGSIb3DQEJAzELBgkqhkiG9w0BBwEwHAYJKoZIhvcNAQkFMQ8XDTE0MDIwNzAwNDkw
MlowIwYJKoZIhvcNAQkEMRYEFE8vy93a33P3zqCBxeijKegBZksxMIGFBgkrBgEEAYI3EAQxeDB2
MGIxCzAJBgNVBAYTAlVTMRUwEwYDVQQKEwxEaWdpQ2VydCBJbmMxGTAXBgNVBAsTEHd3dy5kaWdp
Y2VydC5jb20xITAfBgNVBAMTGERpZ2lDZXJ0IEFzc3VyZWQgSUQgQ0EtMQIQCaKQbPHG8gwF309j
IYqxuTCBhwYLKoZIhvcNAQkQAgsxeKB2MGIxCzAJBgNVBAYTAlVTMRUwEwYDVQQKEwxEaWdpQ2Vy
dCBJbmMxGTAXBgNVBAsTEHd3dy5kaWdpY2VydC5jb20xITAfBgNVBAMTGERpZ2lDZXJ0IEFzc3Vy
ZWQgSUQgQ0EtMQIQCaKQbPHG8gwF309jIYqxuTCBkwYJKoZIhvcNAQkPMYGFMIGCMAsGCWCGSAFl
AwQBKjALBglghkgBZQMEARYwCgYIKoZIhvcNAwcwCwYJYIZIAWUDBAECMA4GCCqGSIb3DQMCAgIA
gDANBggqhkiG9w0DAgIBQDAHBgUrDgMCGjALBglghkgBZQMEAgMwCwYJYIZIAWUDBAICMAsGCWCG
SAFlAwQCATANBgkqhkiG9w0BAQEFAASCAQCng0U6G1iubuH9Ey2Td89S2sMrwrvUFfqdki/hCRH5
hAzB/k2ysn3kVuUIPh272EGtre5CD10N0Ck0mKk54hnZ+GiQyqTMfsq09FEnpYRTrHSU6jl5SFmB
jTfwNDVaJZXWFs7T4kLQoFsjW2ZuOiwkxnBQ5zQDBLr/QJpGzAOhstepeZmtn5pi06jGWlFnWL4m
G56euVjqfC8GPpDOcEz7KYmzLmkCALQYkbsVMbceAFy/knCltuaVInK/PYnAADUrcailmZleNYU9
DB6VtpMD2UvcK0M1ISpdMB7xH8OivbdID6fkvRaTmhuVeAZyHHvEvu6u0BD/mJIjz3jlG1e8AAAA
AAAA

------=_NextPart_000_0065_01CF235B.5707D180--
home help back first fref pref prev next nref lref last post