Comment to TCR DNSSEC Keysigning
> Comments are welcome on any aspect of the consultation, and > specifically on the following questions: > > 1. Is the current TCR model effectively performing its function of > ensuring trust in the KSK management process? Trust is in the eyes of the beholder, hence I can only speak to how I personally assess the process. The process intents to assertion 2 things: 1. During the ceremony there is no abuse and no copies are made off the private keys and only the right set of zone signing keys are signed. The guarantee is provided by having many eyes on the execution of a well documented procedure. 2. Between the ceremony the private keys have not been used or copied. That guarantee is provided by having multiple parties overseeing the entry of the vaults. And visual inspection of damage to the vault locks and tamper evident bags. In my eyes, the ceremony provides the highest level of certainty that during the ceremony the private key is not being abused or copied. Small improvements are made but this process is solid and trustworthy. As for the second assertion certain assumptions about the capacities of adversaries come into play. I believe that a reasonable balance has been struck, certainly given the stakes of todays DNSSEC dependence and the capacitie of the advisaries that need to be of movie plot proportion before they pose a real threat. That said, the trust-agenda becomes highly political and as DNSSEC gains uptake and is expected to be used as a trust-bootstrap mechanism the trust assessments around the globe may change. With the two assertions in mind the process is constantly evaluated by the TCR and I've experienced that ICANN staff has been quick to react to suggestions. For instance: It has been suggested to put the smart cards in hardened plastic boxes as to prevent activating the cards using sharp needles without visibly damaging the tamper evident bags. TCRs are allowed to bring their 'own brand' of tamper evident bag for additional certainty (bag-within-bag). While writing this it occurs to me that there may be improvements to be gained in the transparency of the in-between-sessions access of the facilities. > 2. Is the current size of the TCR pool appropriate to ensure > sufficient participation in the ceremonies, while not overburdening > the availability of specific volunteers? In order to detect the use of a private key in between sessions at least 5 of the TCRs will need to ascertain that no combination of 3 keys has been compromised. (this speaks to the second assertion above, and currently there is no such requirement for the TCRs). Suppose that the same three Crypto Officers have not been able to travel to the ceremony two times in a row then a compromise of their tamper evident bags might go undetected for a year. If the number of crypto officers grows then more of them need to show up to guarantee assertion two. > 3. Should there be a minimum level of participation required of a TCR > in order to be considered to be successfully discharging their duties? Yes, see reasoning above about assertion two: In an M out of N signing scheme at least N-M+1 crypto officers need to be present. > 4. There is no standard provision to refresh the list of TCRs except > when they are replaced due to inability to effectively perform > their function. Should there be a process to renew the pool of TCRs, > such as using term limits or another rotation mechanism? Yes, there should be such process. The process should be inclusive and transparent and is allowed to have a bias towards relevant specialist. > 5. The current model does not compensate TCRs for their services in order to > ensure their independence from ICANN. > a. Should the model of TCRs paying the costs of their participation > be retained? > b. Would some form of compensation to offset the expenses incurred > by the TCRs detract from their independence in performing the role? > c. If you support compensating TCRs for their expenses, are there > requirements or limitations on whom the funding organization should > be? The ability to pay for a trip is orthogonal to being trusted for the function: If a person is being trusted for the function then the ability to perform that function should be facilitated. Boundary conditions are that the assignment of funds is done by an independent body in a transparent and audited fashion; only expenses are payed (TCR is a voluntary function). If that boundary condition is fulfilled then the source of the funding should not be an issue although preferably it be diverse. Attachment:
signature.asc |