[dns-operations] [Ext] Re: Contingency plans for the next Root KSK Ceremony

[Erwin Lansing]

Hi Kim,

> On 27 Mar 2020, at 01.55, Kim Davies <kim.davies at iana.org> wrote:
> 
> Hopefully our approach does not depend solely on TCRs for confidence.
> We've consciously sought to operate a highly transparent process
> that allows anyone who is interested - not just TCRs - to witness
> proceedings and be involved, either in person or remotely. Further,
> we are audited by a third-party audit firm using the SOC 3 framework
> (formerly SysTrust), and have received unqualified opinions each year
> since we first started in 2010: https://www.iana.org/about/audits
> 
> Another key protection is we seek to disseminate all the relevant
> materials from the ceremony. All audit footage, software used, and
> the logs and artefacts generated are posted online for download and
> inspection.
> 
> Certainly if there is a perception that trust hinges critically on TCRs,
> we've either not communicated the breadth of the controls well enough,
> or we need to do more to instill trust. Just as the security envelope
> for the KSK involves multiple overlapping physical security controls,
> maintaining trust in KSK management should involve multiple overlapping
> trust mechanisms to satisfy the community.

I think you hit the nail on the head here: it’s all about perception. No matter how many other controls and layer of security, drilling a safe bring up certain images in peoples minds. For that reason alone, I’d also rather avoid that solution, but extraordinary circumstances require extraordinary solutions. As you say, the process is a transparent as it can be, and with enough emphasis on the existing, and possibly extra, security measures, it should be no problem to dispel that perception, and it may well be the most practical way to go.

Best,
Erwin