Hi Sergey, Quoting Sergey Myasoedov on Friday March 27, 2020: > > There is no specific concern. Any KSK operation can be performed without the > physical > TCRs presence. There is no other source of confidence except TCRs, and their > absence > or accessing the private key without their presence isn’t good for trust.
Hopefully our approach does not depend solely on TCRs for confidence. We've consciously sought to operate a highly transparent process that allows anyone who is interested - not just TCRs - to witness proceedings and be involved, either in person or remotely. Further, we are audited by a third-party audit firm using the SOC 3 framework (formerly SysTrust), and have received unqualified opinions each year since we first started in 2010: https://www.iana.org/about/audits Another key protection is we seek to disseminate all the relevant materials from the ceremony. All audit footage, software used, and the logs and artefacts generated are posted online for download and inspection. Certainly if there is a perception that trust hinges critically on TCRs, we've either not communicated the breadth of the controls well enough, or we need to do more to instill trust. Just as the security envelope for the KSK involves multiple overlapping physical security controls, maintaining trust in KSK management should involve multiple overlapping trust mechanisms to satisfy the community. > I understand the extraordinariness of the moment, and if you have no choice, > you’ll jump to > Option 2 and Option 3 then. Is the disaster recovery procedure (Option 3) the > one that should’ve > been done on Verisign’s disaster recovery site? Does it require to access the > cards? Or we’re > discussing the non-disaster remote ceremony? We do not have any disaster recovery sites, and we do not use any sites operated by Verisign. We have two replica sites which, in normal operations, we alternate holding key ceremonies. We can use either to perform a key ceremony. Verisign operates their own infrastructure as it pertains to managing the ZSK for the root zone. kim _______________________________________________ dns-operations mailing list [email protected] https://lists.dns-oarc.net/mailman/listinfo/dns-operations
