[At-Large] FRIENDLY REMINDER: Review on Trusted Community Representation #Root #Zone #DNSSEC [Call for Comments]

Aida Noblia aidanoblia at gmail.com
Tue Feb 11 21:02:14 UTC 2014


Thanks Dev for direction and clarification. That's where I read it.
Actually I never thought I will use the facilities for any kind of
ceremonies independent of each other, but there is as two complementary
parts are related. I think that says mirror for a ceremony. I'm not a
computer technician.
This topic is highly regulated by technical standards and Verisign company
offering computer security.

 Regarding the TCR think it is important to note that the amount is
sufficient to meet the requirements and that of 21 selected 6 or 8. If a
ceremony without the other as you mention can be done with more reason is
that I do not need more than 21 TCR.

Greetings to all


2014-02-11 17:59 GMT-02:00 Dev Anand Teelucksingh <devtee at gmail.com>:

> Thanks Aida for your attention to this.
>
> I've been reading the document titled
> "DNSSEC Root Zone High Level Technical Architecture" at
>
> http://www.root-dnssec.org/wp-content/uploads/2010/06/draft-icann-dnssec-arch-v1dot4.pdf
>
> pages 8 to 10 talks about the Key Signing Key (KSK) Ceremonies.
>
> Some excerpts:
>
> "The ceremonies will alternate between mirror sites to exercise their
> operational readiness in case of emergency.....
>
> ....Once a new KSK is generated during a key generation ceremony, it is
> backed up in
> encrypted form on a smart card and distributed to the mirror site for
> import and storage.
> The key ceremony is inclusive of these events and is not deemed complete
> until they
> have all been performed. Key signing ceremonies (during which the contents
> of the KSR are signed) are
> more frequent than KSK generation ceremonies and, though they alternate
> between sites,
> a given signing ceremony does not involve the corresponding mirror site."
>
> "The KSKs for the DNSSEC root zone system will be maintained at two
> offline sites
> each mirroring the other in functionality. To meet DoC requirements, the
> two sites
> maintaining the private half of the KSKs will be geographically dispersed
> and within the
> United States: one in Los Angeles, California (near ICANN headquarters)
> and the other
> outside the metropolitan Washington, D.C. area"
>
>
> Therefore, this document indicates that the two facilities are NOT used at
> the same time for any ceremony, but rather alternates between the two
> venues.
>
> Kind Regards,
>
> Dev Anand
>
>
>
>
>
>
>
>
> On Tue, Feb 11, 2014 at 12:03 PM, Aida Noblia <aidanoblia at gmail.com>wrote:
>
>> Hola a todos:
>>
>> Al comentario de Dev: en la wiki:
>>
>> La línea "La posibilidad de contar con la firma al mismo tiempo ....." es
>> confuso para mí. Según tengo entendido la ceremonia de firma clave,
>> cualquier acto requiere viajar por algunos de 7 Oficiales Crypto a una de
>> las dos instalaciones en los EE.UU.. Creo que no hay acciones simultáneas
>> que ocurren en ambas instalaciones al mismo tiempo. Voy a apreciar
>> cualquier aclaración al respecto.
>>
>> Dev y todos: respecto al pedido de aclaración que Ud hizo  sobre que se
>> hacen dos ceremonias por vez:
>>
>> El documento "Review of Trusted Community Representation in Root Zone
>> DNSSEC Key Signing Ceremonies" dice en uno de sus párrafos  Pego abajo los
>> textos y en negrita lo que copie textual.
>>
>>
>> "De los 21 TCR , siete tienen las credenciales como "oficiales " cripto
>> (COS) *para cada uno de los dos instalaciones*, y los siete restantes
>>
>> actúan como "accionistas clave de recuperación " que sólo participar en
>> las
>> ceremonias en el caso de que el número requerido de las OP no pueden
>> participar o existe la necesidad de reconstruir el KSK después de un
>> evento
>> imprevisto. *De los siete* objetores de conciencia *para cada
>> instalación*,
>> ICANN espera tener *cuatro asisten cada ceremonia* ."
>>
>>
>>
>> En otro de los documentos de IANA, está más detallado y dice que ambas
>> ceremonias serán en dos diferentes lugares de un mismo país, al que
>> menciona, y aclara que una en la zona Este y otra en la zona Oeste. Estoy
>> buscando en cuál de los documentos leí esto. Es en el referido
>> específicamente a las ceremonias de la KSK. No recuerdo si es un txt..
>>  refieren a normas técnicas de seguridad informática.
>>
>>
>> "Of the 21 TCRs, seven are credentialed as "crypto officers" (COs)* for
>> each of the two*
>>
>> *facilities*, and the remaining seven act as "recovery key shareholders"
>>
>> who only
>>
>> participate in ceremonies in the event the requisite number of COs are
>> unable to
>>
>> participate or there is a need to rebuild the KSK following an unforeseen
>> event. Of
>>
>> the seven COs for each facility, ICANN aims to have *four attend each
>> ceremony.*."
>>
>>
>>
>>
>> In other documents IANA, is more detailed and it says both ceremonies will
>> be in two different places in the same country, which mentions and
>> clarifies that in the east and another in the west. I am looking at which
>> of the documents I read this. It is specifically referred to in the
>> ceremonies of the KSK. I do not remember if it's a txt .. refer to
>> technical standards of information security.
>>
>>
>> Saludos a todos
>>
>>
>> Aída
>>
>> "
>>
>>
>>
>>
>>
>>
>>
>>
>>
>> 2014-02-11 3:19 GMT-02:00 Aida Noblia <aidanoblia at gmail.com>:
>>
>> >
>> > Disclaimer: are only two times a year the ceremonies. There are two
>> > ceremonies at a time, in total there are four ceremonies a year.
>> >
>> > Aída
>> >
>> >
>> > 2014-02-11 3:04 GMT-02:00 Aida Noblia <aidanoblia at gmail.com>:
>> >
>> > Dear Dev and All_
>> >>
>> >> The proportion of the world population and the number of TCR is not
>> >> relevant for the purposes of these ceremonies. This ratio is
>> determined by
>> >> the specific needs of the ceremony, not proportion the world
>> population.
>> >>
>> >> There are four times in the year they are made ceremonies. To them is
>> >> determined by technical rules attending 6 or 8 people out of 21 that
>> are
>> >> available. Increased availability does not mean most people in the
>> >> ceremonies. The question is not about how many people attend the
>> ceremonies
>> >> but many are available for selection.
>> >>
>> >> Kind Regards
>> >>
>> >> Aída
>> >>
>> >>
>> >> 2014-02-10 21:38 GMT-02:00 Dev Anand Teelucksingh <devtee at gmail.com>:
>> >>
>> >> Posted some comments at the wiki https://community.icann.org/x/nge6Ag
>> >>>
>> >>> Kind Regards,
>> >>>
>> >>> Dev Anand
>> >>>
>> >>>
>> >>> On Sun, Feb 9, 2014 at 8:07 PM, Salanieta T. Tamanikaiwaimaro <
>> >>> salanieta.tamanikaiwaimaro at gmail.com> wrote:
>> >>>
>> >>> > Dear All,
>> >>> >
>> >>> > This is to advise that further edits have been made to reflect the
>> new
>> >>> > responses that came. Changes are in *bold and blue*.
>> >>> >
>> >>> > See: https://community.icann.org/x/nge6Ag
>> >>> >
>> >>> > Kind Regards,
>> >>> > Sala
>> >>> > _______________________________________________
>> >>> > At-Large mailing list
>> >>> > At-Large at atlarge-lists.icann.org
>> >>> > https://atlarge-lists.icann.org/mailman/listinfo/at-large
>> >>> >
>> >>> > At-Large Official Site: http://atlarge.icann.org
>> >>> >
>> >>> _______________________________________________
>> >>> At-Large mailing list
>> >>> At-Large at atlarge-lists.icann.org
>> >>> https://atlarge-lists.icann.org/mailman/listinfo/at-large
>> >>>
>> >>> At-Large Official Site: http://atlarge.icann.org
>> >>>
>> >>
>> >>
>> >>
>> >> --
>> >> Aida Noblia
>> >>
>> >
>> >
>> >
>> > --
>> > Aida Noblia
>> >
>>
>>
>>
>> --
>> Aida Noblia
>> _______________________________________________
>> At-Large mailing list
>> At-Large at atlarge-lists.icann.org
>> https://atlarge-lists.icann.org/mailman/listinfo/at-large
>>
>> At-Large Official Site: http://atlarge.icann.org
>>
>
>


-- 
Aida Noblia



More information about the At-Large mailing list