[dns-esp] Fwd: FW: Contingency plans for the next Root KSK Ceremony

Hugo Salgado hsalgado en nic.cl
Vie Abr 24 11:59:59 -04 2020


Hola Andrés. Supe que ayer se pudo realizar la ceremonia, que
bien! Y finalmente los TCRs enviaron sus llaves a representantes
locales en Los Angeles? Y monitorearon todo en remoto?

Además entiendo que firmaron varios meses en adelantado, para
saltarse la siguiente ceremonia, no?

Gracias y felicitaciones por haberlo logrado!

Hugo

On 15:20 26/03, Andres Pavez via dns-esp wrote:
> Hola,
> Les reenvío un comunicado de IANA acerca de los planes para realizar
> la próxima KSK ceremonia de la zona raíz dada las restricciones de
> viajes y periodo de cuarentena que estamos viviendo.
> Cualquier comentario es bienvenido.
> Saludos.
> 
> On 3/25/20, 18:52, "root-dnssec-announce on behalf of Kim Davies"
> <root-dnssec-announce-bounces en icann.org on behalf of
> kim.davies en iana.org> wrote:
> 
> The IANA team, and the broader ICANN organization, have been giving
> significant thought to the Coronavirus pandemic and its impact on root
> zone KSK operations. Managing the KSK is centred on conducting "key
> signing ceremonies", where trusted community representatives (TCRs)
> attend from around the world to witness utilization of the root zone
> KSK private key. This approach seeks to engender trust in the broader
> community that the key has not been compromised, in addition to more
> typical controls such as third-party auditing.
> 
> In light of world events we have developed contingency plans around
> how to hold key ceremonies in the short term. To that end, we
> identified a graduated set of options, in summary:
> 
> 1.      Hold the next ceremony as planned on April 23, with a quorum
> of participants globally.
> 2.      Hold the next ceremony on a different date using only US-based TCRs.
> 3.      Hold the next ceremony using our disaster recovery procedure,
> which provides for a staff-only ceremony (i.e. no TCRs would be
> physically present).
> 
> In general, our goal has been to navigate from Option 1, and if that
> is not possible, Option 2, and so on. However, at this time, our focus
> is on developing a plan around Option 3.
> 
> The ceremony is currently scheduled unusually early in the quarter (it
> is typically held in May), and needs to be held to generate signatures
> that will be needed in production for July. Our contingency plan is
> comprised of:
> 
> ·         Holding the ceremony with a bare minimum of staff (approximately 6);
> 
> ·         Using 3 TCRs’ credentials, either by having their access key
> transferred to us in a secure manner in advance of the ceremony, or by
> drilling the safety deposit box that holds their secure elements.
> 
> ·         Holding the ceremony under typical audit coverage, allowing
> for remote witnessing of events by all, plus providing additional
> opportunities for TCRs to stay involved in the process remotely.
> 
> ·         Signing key materials to cover one or more subsequent
> quarters, to provide relief from the need to necessarily hold
> ceremonies later in 2020 if circumstances disallow it. (The additional
> signatures would be withheld securely until they are needed.)
> 
> Our key management facilities were designed with the disaster recovery
> capability of performing staff-only ceremonies in mind, but this is a
> significant shift from normal operations and we want to promote
> broader community awareness of this work. Those directly involved in
> key ceremonies - the trusted community representatives, our vendors
> and auditors - have been consulted and are broadly supportive of this
> effort.
> 
> 
> Should there be any specific feedback you would like to share with our
> team, please email me <kim.davies en iana.org> and we will take it into
> consideration as we finalize our plans.
> 
> Thank you for your support,
> 
> Kim Davies
> VP, IANA Services, ICANN
> President, Public Technical Identifiers (PTI)
> _______________________________________________
> dns-esp mailing list
> dns-esp en listas.nic.cl
> https://listas.nic.cl/mailman/listinfo/dns-esp
------------ próxima parte ------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: no disponible
URL: <https://listas.nic.cl/pipermail/dns-esp/attachments/20200424/0a210a8e/attachment.sig>


Más información sobre la lista de distribución dns-esp