[dns-esp] Fwd: FW: Contingency plans for the next Root KSK Ceremony

Andres Pavez apavez.zavala en gmail.com
Vie Abr 24 14:22:08 -04 2020


Hola Hugo,

On Fri, Apr 24, 2020 at 9:00 AM Hugo Salgado via dns-esp
<dns-esp en listas.nic.cl> wrote:
>
> Hola Andrés. Supe que ayer se pudo realizar la ceremonia, que
> bien! Y finalmente los TCRs enviaron sus llaves a representantes
> locales en Los Angeles? Y monitorearon todo en remoto?

Si. Les enviamos a 4 TCRs material para que nos enviaran 1 copia de
sus llaves. Solo necesitamos 3 TCRs, pero pedimos 1 extra ante
cualquier eventualidad o retraso en el arribo de las llaves. Ellos nos
enviaros sus llaves a 4 ICANN/PTI (IANA) personal que tiene un rol de
confianza en la ceremonia en un sobre y dentro de una Tamper Evident
Bag (TEB) con una declaración para auditoria.

Ellos participaron en una llamada zoom adicional al streaming de la
ceremonia para monitorear, verificar y autorizar remotamente el uso de
sus llaves. Antes de terminar la ceremonia, sus llaves fueron puestas
dentro de un sobre y TEB para ser enviadas de regreso después de la
ceremonia. Una vez que las reciban van a enviar otra declararon para
así cerrar la cadena de confianza. Ademas esta contemplado reemplazar
las cajas de seguridad (safe deposit box) de los TCR la próxima
ceremonia donde puedan estar presentes.

>
> Además entiendo que firmaron varios meses en adelantado, para
> saltarse la siguiente ceremonia, no?

Claro, así fue. Como no se sabe si podrá hacer una ceremonia con la
presencia de los TCRs,  se firmaron 3 trimestres, app. hasta marzo
2021. Las firmas están resguardadas por ICANN/PTI (IANA) y serán
entregadas cuando corresponda a Verisign para que firme la zona raiz.

>
> Gracias y felicitaciones por haberlo logrado!
>

Gracias, si esta año ha sido especial para las ceremonias, primero la
caja fuerte en febrero y ahora la ceremonia edición pandémica todos
usando mascarillas.

https://www.theregister.co.uk/2020/04/22/iana_delay_coronavirus/

> Hugo

Saludos.
--
Andrés Pavez

>
> On 15:20 26/03, Andres Pavez via dns-esp wrote:
> > Hola,
> > Les reenvío un comunicado de IANA acerca de los planes para realizar
> > la próxima KSK ceremonia de la zona raíz dada las restricciones de
> > viajes y periodo de cuarentena que estamos viviendo.
> > Cualquier comentario es bienvenido.
> > Saludos.
> >
> > On 3/25/20, 18:52, "root-dnssec-announce on behalf of Kim Davies"
> > <root-dnssec-announce-bounces en icann.org on behalf of
> > kim.davies en iana.org> wrote:
> >
> > The IANA team, and the broader ICANN organization, have been giving
> > significant thought to the Coronavirus pandemic and its impact on root
> > zone KSK operations. Managing the KSK is centred on conducting "key
> > signing ceremonies", where trusted community representatives (TCRs)
> > attend from around the world to witness utilization of the root zone
> > KSK private key. This approach seeks to engender trust in the broader
> > community that the key has not been compromised, in addition to more
> > typical controls such as third-party auditing.
> >
> > In light of world events we have developed contingency plans around
> > how to hold key ceremonies in the short term. To that end, we
> > identified a graduated set of options, in summary:
> >
> > 1.      Hold the next ceremony as planned on April 23, with a quorum
> > of participants globally.
> > 2.      Hold the next ceremony on a different date using only US-based TCRs.
> > 3.      Hold the next ceremony using our disaster recovery procedure,
> > which provides for a staff-only ceremony (i.e. no TCRs would be
> > physically present).
> >
> > In general, our goal has been to navigate from Option 1, and if that
> > is not possible, Option 2, and so on. However, at this time, our focus
> > is on developing a plan around Option 3.
> >
> > The ceremony is currently scheduled unusually early in the quarter (it
> > is typically held in May), and needs to be held to generate signatures
> > that will be needed in production for July. Our contingency plan is
> > comprised of:
> >
> > ·         Holding the ceremony with a bare minimum of staff (approximately 6);
> >
> > ·         Using 3 TCRs’ credentials, either by having their access key
> > transferred to us in a secure manner in advance of the ceremony, or by
> > drilling the safety deposit box that holds their secure elements.
> >
> > ·         Holding the ceremony under typical audit coverage, allowing
> > for remote witnessing of events by all, plus providing additional
> > opportunities for TCRs to stay involved in the process remotely.
> >
> > ·         Signing key materials to cover one or more subsequent
> > quarters, to provide relief from the need to necessarily hold
> > ceremonies later in 2020 if circumstances disallow it. (The additional
> > signatures would be withheld securely until they are needed.)
> >
> > Our key management facilities were designed with the disaster recovery
> > capability of performing staff-only ceremonies in mind, but this is a
> > significant shift from normal operations and we want to promote
> > broader community awareness of this work. Those directly involved in
> > key ceremonies - the trusted community representatives, our vendors
> > and auditors - have been consulted and are broadly supportive of this
> > effort.
> >
> >
> > Should there be any specific feedback you would like to share with our
> > team, please email me <kim.davies en iana.org> and we will take it into
> > consideration as we finalize our plans.
> >
> > Thank you for your support,
> >
> > Kim Davies
> > VP, IANA Services, ICANN
> > President, Public Technical Identifiers (PTI)
> > _______________________________________________
> > dns-esp mailing list
> > dns-esp en listas.nic.cl
> > https://listas.nic.cl/mailman/listinfo/dns-esp
> _______________________________________________
> dns-esp mailing list
> dns-esp en listas.nic.cl
> https://listas.nic.cl/mailman/listinfo/dns-esp


Más información sobre la lista de distribución dns-esp