On 16 jul 2010, at 19.59, Thierry Moreau wrote: > With what was called DURZ (Deliberately Unvalidatable Root Zone), you, > security experts, has been trained to accept signature validation failures as > false alarms by experts from reputable institutions.
Thierry, do you know of anyone that configured the DURZ DNSKEY and accepted the signature validation failure resulting because of this? We had good (documented) reasons for deploying the DURZ as we did, the deployment was successful and it is now all water under the bridge. Adding FUD at this time does not help. > Auditing details are not yet public. Yes, they are - see http://data.iana.org/ksk-ceremony/. If there is anything missing, please let me know. > I am wondering specifically about the protections of the private key material > between the first "key ceremony" and the second one. I didn't investigate > these details since ICANN was in charge and promised full transparency. > Moreover, my critiques were kind of counterproductive in face of the > seemingly overwhelming confidence in advice from the Verisign experts. In the > worse scenario, we would already have a KSK signature key on which a > "suspected breach" qualification would be attached. The key material was couriered between the Key Management Facilities by ICANN staff members. I'd be happy to make sure you get answers to any questions you may have regarding this handling. > Is there an emergency KSK rollover strategy? Yes, please read the DPS - https://www.iana.org/dnssec/icann-dps.txt. jakob (member of the Root DNSSEC Design Team) -- Jakob Schlyter Kirei AB - http://www.kirei.se/ --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to majord...@metzdowd.com