[dns-operations] [Ext] Re: Contingency plans for the next Root KSK Ceremony
s at netartgroup.com
Fri Mar 27 00:15:50 UTC 2020
There is no specific concern. Any KSK operation can be performed without the physical
TCRs presence. There is no other source of confidence except TCRs, and their absence
or accessing the private key without their presence isn’t good for trust.
I understand the extraordinariness of the moment, and if you have no choice, you’ll jump to
Option 2 and Option 3 then. Is the disaster recovery procedure (Option 3) the one that should’ve
been done on Verisign’s disaster recovery site? Does it require to access the cards? Or we’re
discussing the non-disaster remote ceremony?
> On 26 Mar 2020, at 23:21, Kim Davies <kim.davies at iana.org> wrote:
> Quoting Sergey Myasoedov on Thursday March 26, 2020:
>>> • Using 3 TCRs’ credentials, either by having their access key transferred to us in a secure manner in advance of the ceremony, or by drilling the safety deposit box that holds their secure elements.
>> Accessing the credentials without the TCRs present will shatter confidence in TCR model. Better avoid that.
> It would be good to better understand this concern, because we are
> facing scenarios where we may not have a choice but to do it in this
> manner. What is your specific concerns about the lack of physical TCR
> participation, and what would be the best way to remediate them?
> Bear in mind our goal is to continue to involve TCRs remotely in an
> active role as much as possible, much in the same way they would
> participate in a regular ceremony. They would oversee custody of their
> credential, along with having the opportunity to interject and advise
> along the way.
More information about the dns-operations