_______ __ _______
| | |.---.-..----.| |--..-----..----. | | |.-----..--.--.--..-----.
| || _ || __|| < | -__|| _| | || -__|| | | ||__ --|
|___|___||___._||____||__|__||_____||__| |__|____||_____||________||_____|
on Gopher (inofficial)
URI Visit Hacker News on the Web
COMMENT PAGE FOR:
URI Passing the Torch â My Last Root DNSSEC KSK Ceremony as Crypto Officer 4
teddyh wrote 58 min ago:
He should probably update his âAboutâ page on his blog to remove
âI sign the DNSSEC rootâ, then.
0x50000000 wrote 1 hour 23 min ago:
KMF-East is the Gegenvorschlag, or counterproposed key-management for
the resolution of TCP/IP ICANN domain certifications.
DNSSEC requires cycling existing TCR for AES-256 symmetric encryptions
or leveraging localised key share cycles.
shruubi wrote 5 hours 17 min ago:
Not sure how geographically diverse it is to have two "highly secure
sites" on the same continent.
charcircuit wrote 1 hour 3 min ago:
There are security concerns having sites outside of America. I prefer
keeping them only within my home country.
shmel wrote 42 min ago:
Equally there are security concerns having sites inside the US.
ggm wrote 5 hours 0 min ago:
Several people either in this circuit or close by made submissions to
this effect to ICANN recently.
It's very hard to get traction on this story because there is a lot
of "don't prod the bear" regarding things ICANN can and should ask
Department of State about, and things which really have moved into
"self managed, independent international body" space. The reason
there are two HSM east and west coast was because of this kind of
national-strategic sensitivity. It would be a low bar (only money)
decision to duplicate the investment in Singapore and Geneva, two
locations which ICANN has existing investment in, with good secure
facilities and accepted by the wider public as "neutral" points.
When the KSK ceremonies started up, several people also pointed out
that this "diverse locations" thing was a bit hokey. The response
above is my re-write of the kinds of things said to me, at the time.
If somebody wants to deny State or any other US federal agency
influenced the decision I have no formal proof.
I should add as a declaration of interest I was at Rob's goodbye KSK
event, I am a TCR, and I made such a submission this year. I have not
received any indication it was understood or read, despite asking for
some acknowledgement, but the process wheels in an agency like ICANN
run to their own time.
tptacek wrote 4 hours 56 min ago:
What would "poking the bear" do here? What's the risk?
jacquesm wrote 1 hour 36 min ago:
Don't we have the '98 DNS ROOT incident as a nice example of what
could happen when the bear gets poked?
ggm wrote 8 min ago:
Yes, but we're a long way down "our hands are off it's ICANN
now". The exception might be DNSSEC and the verisign contract
continuance. I have no complaint against verisign, far from it:
their staff are excellent and they are amazingly diligent and
risk averse.
But at a contractual level you could ask is there another
company which could tender to operate the root publication
function, and meet all stakeholder requirements? And, could
that company be legally constituted outside the USA?
ggm wrote 4 hours 43 min ago:
The risk is being told no, and inviting dissent into the
independence of ICANN. Not asking, means no risk of being told
"no, you do as you're told" which would endanger the whole 3
legged stool. the GAC would immediately question the assumption
the US government had that level of signoff, the money flows and
lawyers would fire up, it would be come a shitstorm in a teacup.
The least likely outcome of asking the department of state if
ICANN is "permitted" to add an HSM outside the USA, is a positive
answer.
The most likely path to doing it, is not to assume you have to
ask.
tptacek wrote 4 hours 39 min ago:
Interesting. Thanks!
ggm wrote 4 hours 34 min ago:
It's my personal opinion from beer convos with people in the
circuit. As I said I have no firm proofs and you should hedge
belief in this by the lack of verifyable facts.
DIR <- back to front page