[At-Large] FRIENDLY REMINDER: Review on Trusted Community Representation #Root #Zone #DNSSEC [Call for Comments]
aidanoblia at gmail.com
Fri Feb 7 16:45:21 UTC 2014
Dear Salanieta and All:
Regarding the amount of TCR: Of the 21 TRC only must attend each time, 6 or
8 people, half of which go to a place and half to another. From the point
of view of those risks posed the biggest problem is that the two places
where ceremonies are are located in the same country: if something in there
is no other backup occurs. But that is no reason the query.
2014-02-07 Salanieta T. Tamanikaiwaimaro <
salanieta.tamanikaiwaimaro at gmail.com>:
> Dear All,
> Many thanks for your contributions on the Wiki and in the mailing list.
> This is a revised Draft:
> For those who wish to make final last minute comments, visit:
> Since there were divergent views on some of the issues, I have attempted to
> capture both views.
> *Revised Draft ALAC Statement on the TCR Review*
> The Affirmation of
> the Internet as a transformative technology that empowers people around the
> globe, spurs innovation, facilitates trade and commerce, and enables the
> free and unfettered flow of
> One of the elements of the Internet's success is a highly decentralized
> network that enables and encourages decision-making at a local level.
> Notwithstanding this decentralization, global technical coordination of the
> Internet's underlying infrastructure - the Domain Name
> (DNS) -
> is required to ensure
> DNS Security
> is a protocol that is currently being deployed to secure the Domain Name
> System (DNS), the Internet's global phone book. DNSSEC adds security to the
> DNS by incorporating public key cryptography into the DNS hierarchy,
> resulting in a single, open, global Public Key Infrastructure (PKI) for
> domain names.
> In DNSSEC a secure response to a query is one which is cryptographically
> signed and validated. An individual signature is validated by following a
> chain of signatures to a key which is trusted for some extra-protocol
> reason. ICANN, as IANA Functions Operator, is responsible for the
> publication of trust anchors
> the root zone of the Domain Name System.
> Since July 2010, the DNS Root Zone has been secured using DNSSEC. The model
> of using DNSSEC in the DNS Root Zone revolves around a "key signing key"
> (KSK) that is managed by ICANN in two secure facilities. Four times a year,
> a ceremony is conducted at these facilities to perform operations involving
> the KSK. As a key part of this process, a minimum of three from a pool of
> 21 trusted community representatives (TCRs) attend each ceremony to enable
> access to the secure materials, to witness the procedure, and to attest
> that the ceremony was conducted properly.
> The At Large Community recognizes the role and significance that the DNS
> plays in ensuring interoperability. We recognize the importance of DNSSEC
> in the security, stability and resiliency of the Internet in the root zone
> and the subsequent deployment in DNS Infrastructure. Noting that at the
> time this statement was written there were 427 TLDs in the root zone of
> which 235 are signed and that 229 have trust anchors published in the DS
> records in the root zone whilst 4 TLDs have trust anchors published in the
> ISC DLV Repository <http://stats.research.icann.org/dns/tld_report/>, we
> hope that in time more TLDs will move towards having trust anchors
> The Root Zone Key Signing Ceremony points to one of ICANN's important
> functions of preserving accountability and transparency in the manner in
> which it conducts its DNSSEC Key Signing Ceremonies.
> We recognize the unique combination the key-signing and TCRs make of broad
> participation, transparency and accountability in order to serve the
> central function of preserving and enhancing the stability, security and
> resilience of the DNS, thus engendering widespread trust.
> We would like to congratulate all the stakeholders involved in the KSK
> management process on the services since the first KSK signing ceremony
> till to date. We welcome the opportunity to contribute to the Review of
> Trusted Community Representation in Root Zone DNSSEC Key Signing
> Ceremonies. Following consultations with the At Large community along the
> questions that was raised, we found that on some issues there was
> divergence of views and we have captured both views.
> *1. * *Is the current TCR model effectively performing its function of
> ensuring trust*
> * in the KSK management process?*
> The current Trusted Community Representative (TCR) model has been
> effectively performing its functions of ensuring trust in the KSK
> management process; however, we make the following observations.
> The Abbreviation Draft of the Key Signing Ceremony Annotated Scripts, which
> provides a permanent trusted record of the Ceremony, does not include a
> definition for "EW" when these appear to be sometimes the largest number of
> category of people at the Ceremony. The Key Signing Ceremony Annotates
> Scripts do not clearly state that there are no other participants
> (including Camera person) present apart from those listed.
> * 2. * * Is the current size of the TCR pool appropriate to ensure
> * participation in the ceremonies, while not overburdening the
> availability of*
> * specific volunteers?*
> There are two different views on this. The first view is that the current
> size of the TCR pool is sufficient. The second view suggests that the
> current size needs to be expanded to cater for unforeseeable circumstances
> (includes but is not limited to terrorist attacks, flight disruptions,
> state of emergency, civil war, etc) that could render all 21 TCRs incapable
> from attending to their responsibilities. There might be some merit in
> expanding the pool and retaining the TCRs whilst rotating them from within
> the pool.
> * 3. * *Should there be a minimum level of participation required of a
> TCR in order*
> * to be considered to be successfully discharging their duties?*
> No comment.
> * 4. * *There is no standard provision to refresh the list of TCRs
> except when they*
> * are replaced due to inability to effectively perform their
> function. Should*
> * there be a process to renew the pool of TCRs, such as using term
> limits or*
> * another rotation mechanism?*
> There are two views on this matter. The first view is that the existing
> pool and their indefinite terms are sufficient and that the 21 TCRs are
> more than enough to meet possible contingencies that may arise. That there
> is no need for process to renew the pool neither of TCRs nor to use term
> limits or introduce a rotation mechanism.
> The other view is that there is need for term limits as the original TCR
> mechanism is silent on the term. Rotation would protect against potential
> capture. There are 2.6 billion internet users should indicate that there
> are at least sufficient persons in the world who could meet the criteria
> for selection. Where there is an assumption of indefinite service as a TCR,
> there should be a constant requirement to disclose any and all potential
> conflicts of interest to disable the risk of "capture" by any stakeholder
> or interest.
> * 5. * *The current model does not compensate TCRs for their services in
> order to*
> * ensure their independence from ICANN.*
> * a. Should the model of TCRs paying the costs of their
> participation be retained?*
> * b. Would some form of compensation to offset the
> expenses incurred by the TCRs detract from their independence in performing
> the role?*
> * c. If you support compensating TCRs for their expenses, are there
> requirements or limitations on whom the funding organization should be?*
> There are two divergent views in relation to this. The first view holds
> that the current model where TCRs pay the costs should be retained. TCRs
> should be cost-neutral for those not supported by firms or other entities
> should suffice. To create another source of travel funds for TCRs is poor
> and unwarranted.
> The second view acknowledges the financial burden placed on TCRs. Although
> TCRs are volunteers, a system should be set in place that guarantees
> independence yet allows them to carry out their duty. A fund should be
> managed externally that is independent that can cater for the expenses of
> the TCRs.There should be limitations on those who can contribute to this
> fund. Any funds or gifts being awarded to the TCR should be promptly and
> formally disclosed through appropriate avenues.
> Kind Regards,
> At-Large mailing list
> At-Large at atlarge-lists.icann.org
> At-Large Official Site: http://atlarge.icann.org
More information about the At-Large