[At-Large] FRIENDLY REMINDER: Review on Trusted Community Representation #Root #Zone #DNSSEC [Call for Comments]

Dev Anand Teelucksingh devtee at gmail.com
Tue Feb 11 19:59:30 UTC 2014 

Thanks Aida for your attention to this.

I've been reading the document titled
"DNSSEC Root Zone High Level Technical Architecture" at
http://www.root-dnssec.org/wp-content/uploads/2010/06/draft-icann-dnssec-arch-v1dot4.pdf

pages 8 to 10 talks about the Key Signing Key (KSK) Ceremonies.

Some excerpts:

"The ceremonies will alternate between mirror sites to exercise their
operational readiness in case of emergency.....

....Once a new KSK is generated during a key generation ceremony, it is
backed up in
encrypted form on a smart card and distributed to the mirror site for
import and storage.
The key ceremony is inclusive of these events and is not deemed complete
until they
have all been performed. Key signing ceremonies (during which the contents
of the KSR are signed) are
more frequent than KSK generation ceremonies and, though they alternate
between sites,
a given signing ceremony does not involve the corresponding mirror site."

"The KSKs for the DNSSEC root zone system will be maintained at two offline
sites
each mirroring the other in functionality. To meet DoC requirements, the
two sites
maintaining the private half of the KSKs will be geographically dispersed
and within the
United States: one in Los Angeles, California (near ICANN headquarters) and
the other
outside the metropolitan Washington, D.C. area"


Therefore, this document indicates that the two facilities are NOT used at
the same time for any ceremony, but rather alternates between the two
venues.

Kind Regards,

Dev Anand








On Tue, Feb 11, 2014 at 12:03 PM, Aida Noblia <aidanoblia at gmail.com> wrote:

> Hola a todos:
>
> Al comentario de Dev: en la wiki:
>
> La línea "La posibilidad de contar con la firma al mismo tiempo ....." es
> confuso para mí. Según tengo entendido la ceremonia de firma clave,
> cualquier acto requiere viajar por algunos de 7 Oficiales Crypto a una de
> las dos instalaciones en los EE.UU.. Creo que no hay acciones simultáneas
> que ocurren en ambas instalaciones al mismo tiempo. Voy a apreciar
> cualquier aclaración al respecto.
>
> Dev y todos: respecto al pedido de aclaración que Ud hizo  sobre que se
> hacen dos ceremonias por vez:
>
> El documento "Review of Trusted Community Representation in Root Zone
> DNSSEC Key Signing Ceremonies" dice en uno de sus párrafos  Pego abajo los
> textos y en negrita lo que copie textual.
>
>
> "De los 21 TCR , siete tienen las credenciales como "oficiales " cripto
> (COS) *para cada uno de los dos instalaciones*, y los siete restantes
> actúan como "accionistas clave de recuperación " que sólo participar en las
> ceremonias en el caso de que el número requerido de las OP no pueden
> participar o existe la necesidad de reconstruir el KSK después de un evento
> imprevisto. *De los siete* objetores de conciencia *para cada instalación*,
> ICANN espera tener *cuatro asisten cada ceremonia* ."
>
>
> En otro de los documentos de IANA, está más detallado y dice que ambas
> ceremonias serán en dos diferentes lugares de un mismo país, al que
> menciona, y aclara que una en la zona Este y otra en la zona Oeste. Estoy
> buscando en cuál de los documentos leí esto. Es en el referido
> específicamente a las ceremonias de la KSK. No recuerdo si es un txt..
>  refieren a normas técnicas de seguridad informática.
>
>
> "Of the 21 TCRs, seven are credentialed as "crypto officers" (COs)* for
> each of the two*
>
> *facilities*, and the remaining seven act as "recovery key shareholders"
> who only
>
> participate in ceremonies in the event the requisite number of COs are
> unable to
>
> participate or there is a need to rebuild the KSK following an unforeseen
> event. Of
>
> the seven COs for each facility, ICANN aims to have *four attend each
> ceremony.*."
>
>
>
> In other documents IANA, is more detailed and it says both ceremonies will
> be in two different places in the same country, which mentions and
> clarifies that in the east and another in the west. I am looking at which
> of the documents I read this. It is specifically referred to in the
> ceremonies of the KSK. I do not remember if it's a txt .. refer to
> technical standards of information security.
>
>
> Saludos a todos
>
>
> Aída
>
> "
>
>
>
>
>
>
>
>
>
> 2014-02-11 3:19 GMT-02:00 Aida Noblia <aidanoblia at gmail.com>:
>
> >
> > Disclaimer: are only two times a year the ceremonies. There are two
> > ceremonies at a time, in total there are four ceremonies a year.
> >
> > Aída
> >
> >
> > 2014-02-11 3:04 GMT-02:00 Aida Noblia <aidanoblia at gmail.com>:
> >
> > Dear Dev and All_
> >>
> >> The proportion of the world population and the number of TCR is not
> >> relevant for the purposes of these ceremonies. This ratio is determined
> by
> >> the specific needs of the ceremony, not proportion the world population.
> >>
> >> There are four times in the year they are made ceremonies. To them is
> >> determined by technical rules attending 6 or 8 people out of 21 that are
> >> available. Increased availability does not mean most people in the
> >> ceremonies. The question is not about how many people attend the
> ceremonies
> >> but many are available for selection.
> >>
> >> Kind Regards
> >>
> >> Aída
> >>
> >>
> >> 2014-02-10 21:38 GMT-02:00 Dev Anand Teelucksingh <devtee at gmail.com>:
> >>
> >> Posted some comments at the wiki https://community.icann.org/x/nge6Ag
> >>>
> >>> Kind Regards,
> >>>
> >>> Dev Anand
> >>>
> >>>
> >>> On Sun, Feb 9, 2014 at 8:07 PM, Salanieta T. Tamanikaiwaimaro <
> >>> salanieta.tamanikaiwaimaro at gmail.com> wrote:
> >>>
> >>> > Dear All,
> >>> >
> >>> > This is to advise that further edits have been made to reflect the
> new
> >>> > responses that came. Changes are in *bold and blue*.
> >>> >
> >>> > See: https://community.icann.org/x/nge6Ag
> >>> >
> >>> > Kind Regards,
> >>> > Sala
> >>> > _______________________________________________
> >>> > At-Large mailing list
> >>> > At-Large at atlarge-lists.icann.org
> >>> > https://atlarge-lists.icann.org/mailman/listinfo/at-large
> >>> >
> >>> > At-Large Official Site: http://atlarge.icann.org
> >>> >
> >>> _______________________________________________
> >>> At-Large mailing list
> >>> At-Large at atlarge-lists.icann.org
> >>> https://atlarge-lists.icann.org/mailman/listinfo/at-large
> >>>
> >>> At-Large Official Site: http://atlarge.icann.org
> >>>
> >>
> >>
> >>
> >> --
> >> Aida Noblia
> >>
> >
> >
> >
> > --
> > Aida Noblia
> >
>
>
>
> --
> Aida Noblia
> _______________________________________________
> At-Large mailing list
> At-Large at atlarge-lists.icann.org
> https://atlarge-lists.icann.org/mailman/listinfo/at-large
>
> At-Large Official Site: http://atlarge.icann.org
>

More information about the At-Large mailing list