[dns-operations] First Root Zone DNSSEC KSK Ceremony

Doug Barton dougb at dougbarton.us
Mon Jun 7 03:08:02 UTC 2010

On 06/06/10 18:32, David Conrad wrote:
> Doug,
> On Jun 6, 2010, at 2:36 PM, Doug Barton wrote:
>> The most transparent option would be to stream the whole thing
>> live, warts and all.
> Because as we all know, it is impossible to hack a video feed.  And
> when the video feed cuts out because of a DDoS attack, a failure of
> equipment, or a mistake on the part of ICANN staff, what should we
> do: cancel the event and tell all the TCRs to come back another day
> (on their dime)?  And how do we deal with the accusations that the
> cut streaming video is evidence that ICANN has tampered with the
> KSK?

I agree that there is a non-zero possibility that there may be a problem 
with streaming the thing live, and it's definitely true that if such a 
problem happened, for whatever reason, there would be people who 
interpret that as A Sign. However, you're never going to satisfy the 
true "nutters" no matter what you do. Even a 100% successful live stream 
from multiple camera angles won't convince them because they don't 
believe ICANN is capable of getting out of bed in the morning without a 
conspiracy (or 2, or 3).

On the other end of the spectrum are the ultimately reasonable people. 
By definition we don't have to worry about them. In the middle of the 
bell-shaped curve are the people who need to be told:
1. The TCR's and on-site observers are the first/best assurance to the 
community that things will go according to the agreed upon plan.
2. The live streaming will be done on a best-effort basis, but may 
succumb to circumstances beyond your control.
3. The full, unedited video will be available no later than 24 hours 
after the event is over.

If all of that is not enough to satisfy the people in the middle, maybe 
they are more in the "nutter" category than they would like to admit.

So just to be clear, I do understand that there are potential downsides 
to live streaming, but IMO the pluses far outweigh the potential minuses.

> Given the very tight time constraints, our entire focus has been to
> make sure the various bits and pieces necessary to ensure the KSK is
> properly generated and utilized with the Trusted Community
> Representatives being the key ensurers that the project is done with
> a sufficient level of trust. It is much harder to hack the optic
> nerves of multiple people physically present for the key signing and
> thus, they are the primary source of trust, transparency, etc.

100% agree.

> More pragmatically, there simply isn't time to test the additional
> bits and pieces associated with doing live streaming from the
> Culpeper facility.

If that's true then Joe's statement should have been, "We considered 
live streaming but it's not technically feasible for X, Y, and Z 
reasons." Saying that NOT streaming it live will provide better 
transparency sounds exactly like the kind of black helicopter 
mumbo-jumbo that feeds the nutters.

> Or, if the community so strongly wishes to view the proceedings live
> over the Internet, we could look into delaying signing the root...

I knew SOMEONE was going to toss that in. :)

In all seriousness however, y'all really need a better answer to this 
question. I cannot be the first one to think of it, and I'd be 
astonished if I were the last one to ask it.

Doug (Sometimes you feel like a nut ...)


	... and that's just a little bit of history repeating.
			-- Propellerheads

	Improve the effectiveness of your Internet presence with
	a domain name makeover!    http://SupersetSolutions.com/

More information about the dns-operations mailing list