Passing the Torch – My Last Root DNSSEC KSK Ceremony as Crypto Officer 4
technotes.seastrom.com72 points by greyface- 6 months ago
72 points by greyface- 6 months ago
I enjoyed reading the ceremony log itself, a lot! It’s linked at the bottom of the article.
https://technotes.seastrom.com/assets/2025-11-23-passing-the...
Hypothetically, is there a way to know that those present were not under duress? I am guessing that duress is the only viable attack against the ceremony protocol — everyone present appears to play their part but, offscreen and visible only to the participants, are the villains and some hostages.
Not sure how geographically diverse it is to have two "highly secure sites" on the same continent.
Several people either in this circuit or close by made submissions to this effect to ICANN recently.
It's very hard to get traction on this story because there is a lot of "don't prod the bear" regarding things ICANN can and should ask Department of State about, and things which really have moved into "self managed, independent international body" space. The reason there are two HSM east and west coast was because of this kind of national-strategic sensitivity. It would be a low bar (only money) decision to duplicate the investment in Singapore and Geneva, two locations which ICANN has existing investment in, with good secure facilities and accepted by the wider public as "neutral" points.
When the KSK ceremonies started up, several people also pointed out that this "diverse locations" thing was a bit hokey. The response above is my re-write of the kinds of things said to me, at the time. If somebody wants to deny State or any other US federal agency influenced the decision I have no formal proof.
I should add as a declaration of interest I was at Rob's goodbye KSK event, I am a TCR, and I made such a submission this year. I have not received any indication it was understood or read, despite asking for some acknowledgement, but the process wheels in an agency like ICANN run to their own time.
What would "poking the bear" do here? What's the risk?
The risk is being told no, and inviting dissent into the independence of ICANN. Not asking, means no risk of being told "no, you do as you're told" which would endanger the whole 3 legged stool. the GAC would immediately question the assumption the US government had that level of signoff, the money flows and lawyers would fire up, it would be come a shitstorm in a teacup.
The least likely outcome of asking the department of state if ICANN is "permitted" to add an HSM outside the USA, is a positive answer.
The most likely path to doing it, is not to assume you have to ask.
Interesting. Thanks!
It's my personal opinion from beer convos with people in the circuit. As I said I have no firm proofs and you should hedge belief in this by the lack of verifyable facts.
Don't we have the '98 DNS ROOT incident as a nice example of what could happen when the bear gets poked?
Yes, but we're a long way down "our hands are off it's ICANN now". The exception might be DNSSEC and the verisign contract continuance. I have no complaint against verisign, far from it: their staff are excellent and they are amazingly diligent and risk averse.
But at a contractual level you could ask is there another company which could tender to operate the root publication function, and meet all stakeholder requirements? And, could that company be legally constituted outside the USA?
CERN?
Given that they contributed one of the key components that made the internet into the success that it is as well as being internationally respected.
Possibly. Ex CERN staff have indicated they were dismayed when the address management function went elsewhere in Europe. I know people both sides of this divide, it's ancient history in some ways.
I worked in another RIR. I still contract there.
Asking the US Dept. of State would almost certainly result in "huh?" from the folks there. The part of the USG that plays in the ICANN kiddie pool is US Dept. of Commerce (NTIA) and they no longer have a veto on what ICANN does.
One of the issues is section 4.2 of the IANA Naming Functions contract:
"[...] Contractor must be able to demonstrate that all primary operations and systems will remain within the United States (including the District of Columbia). [...]"
The Key Management Facilities are considered a part of the "primary operations and systems". IIRC, this clause was included in order to move the transition of the IANA functions forward in the face of some resistance within the US government.
Until that bit of legalese is revised, there will be no movement on creating a non-US key management facility. I believe changing the IANA Functions contract requires the Customer Standing Committee. As far as I am aware, no one within the CSC thought it worth the effort, i.e., "if it ain't broke, don't fix it".
Perhaps under the current US administration, that feeling as changed, but I haven't heard of any significant efforts in that regard.
There are security concerns having sites outside of America. I prefer keeping them only within my home country.
Equally there are security concerns having sites inside the US.
I'd rather have it somewhere stable like Switzerland
I suspect the only reason this hasn't been used as part of "deal leverage" is because the US regime doesn't know of its existence
The USA has shown, over the last 12 months, what a security-conscious country it is. The Defense Secretary's almost fanantical regard for messaging security should be held up as an object lesson for all future generations.
KMF-East is the Gegenvorschlag, or counterproposed key-management for the resolution of TCP/IP ICANN domain certifications.
DNSSEC requires cycling existing TCR for AES-256 symmetric encryptions or leveraging localised key share cycles.
He should probably update his “About” page on his blog to remove ”I sign the DNSSEC root”, then.
If you're looking to correct people about random parts of their website, perhaps it'd be a better idea to mail them than to comment here, where they're never going to see it. What was the point of this comment, other than mean-spiritedness?
So you think I should e-mail somebody out of the blue, bothering them personally, to complain about their personal web site? Do you think that most people would react well if they recieved such a message?
HN is a quote well-known community. It is very common that people read the discussion on HN when their project or themselves are featured. And if they are that interested in what others think, they would then likely see comments such as mine. And if they are not the type to want to read comments, they won’t see my comment and therefore not be bothered by it.
I am baffled when trying to imagine why you think this is “mean-spirited”. On the contrary, this is the most respectful way to offer a minor suggestion that I can think of.