Comment Close Date | Statement Name | Status | Assignee(s) and | Call for Comments | Call for Comments Close | Vote Announcement | Vote Open | Vote Reminder | Vote Close | Date of Submission | Staff Contact and Email | Statement Number |
---|---|---|---|---|---|---|---|---|---|---|---|---|
11.02.2014 | Review of Trusted Community Representation in Root Zone DNSSEC Key Signing Ceremonies | ADOPTED12Y, 0N, 0A | Salanieta Tamanikaiwaimaro (APRALO) | 31.01.2014 | 07.02.2014 | 11.02.2014 | 11.02.2014 | 16.02.2014 | 17.02.2014 | 18.02.2014 | Kim Davies kim.davies@icann.org | AL-ALAC-ST-0214-02-00-EN |
For more information about this PC, please click here
FINAL VERSION TO BE SUBMITTED IF RATIFIED
Please click here to download a copy of the PDF below.
FINAL DRAFT VERSION TO BE VOTED UPON BY THE ALAC
Background
The Affirmation of Commitment describes the Internet as a transformative technology that empowers people around the globe, spurs innovation, facilitates trade and commerce, and enables the free and unfettered flow of information[1]. One of the elements of the Internet's success is a highly decentralized network that enables and encourages decision-making at a local level. Notwithstanding this decentralization, global technical coordination of the Internet's underlying infrastructure - the Domain Name System[2] (DNS) - is required to ensure interoperability[3].
DNS Security Extensions[4] (DNSSEC) is a protocol that is currently being deployed to secure the Domain Name System (DNS), the Internet’s global phone book. DNSSEC adds security to the DNS by incorporating public key cryptography into the DNS hierarchy, resulting in a single, open, global Public Key Infrastructure (PKI) for domain names.
In DNSSEC a secure response to a query is one which is cryptographically signed and validated. An individual signature is validated by following a chain of signatures to a key which is trusted for some extra-protocol reason. ICANN, as IANA Functions Operator, is responsible for the publication of trust anchors[5] for the root zone of the Domain Name System.
Since July 2010, the DNS Root Zone has been secured using DNSSEC. The model of using DNSSEC in the DNS Root Zone revolves around a "key signing key" (KSK) that is managed by ICANN in two secure facilities. Four times a year, a ceremony is conducted at these facilities to perform operations involving the KSK. As a key part of this process, a minimum of three from a pool of 21 trusted community representatives (TCRs) attend each ceremony to enable access to the secure materials, to witness the procedure, and to attest that the ceremony was conducted properly.
Introduction
The At Large Community recognizes the role and significance that the DNS plays in ensuring interoperability. We recognize the importance of DNSSEC in the security, stability and resiliency of the Internet in the root zone and the subsequent deployment in DNS Infrastructure. Noting that at the time this statement was written there were 427 TLDs in the root zone of which 235 are signed and that 229 have trust anchors published in the DS records in the root zone whilst 4 TLDs have trust anchors published in the ISC DLV Repository, we hope that in time more TLDs will move towards having trust anchors published.
The Root Zone Key Signing Ceremony points to one of ICANN’s important functions of preserving accountability and transparency in the manner in which it conducts its DNSSEC Key Signing Ceremonies.
We recognize the unique combination the key-signing and TCRs make of broad participation, transparency and accountability in order to serve the central function of preserving and enhancing the stability, security and resilience of the DNS, thus engendering widespread trust.
We would like to congratulate all the stakeholders involved in the KSK management process on the services since the first KSK signing ceremony till to date. We welcome the opportunity to contribute to the Review of Trusted Community Representation in Root Zone DNSSEC Key Signing Ceremonies. Following consultations with the At Large community along the questions that was raised, we found that on some issues there was divergence of views and we have captured both views.
1. Is the current TCR model effectively performing its function of ensuring trust in the KSK management process?
The current Trusted Community Representative (TCR) model has been effectively performing its functions of ensuring trust in the KSK management process; however, we make the following observations.
The Abbreviation Draft of the Key Signing Ceremony Annotated Scripts, which provides a permanent trusted record of the Ceremony, does not include a definition for "EW" when these appear to be sometimes the largest number of category of people at the Ceremony. The Key Signing Ceremony Annotated Scripts do not clearly state whether there are no other participants (including Camera person) present apart from those listed.
2. Is the current size of the TCR pool appropriate to ensure sufficient participation in the ceremonies, while not overburdening the availability of specific volunteers?
There are two different views on this. The first view is that the current size of the TCR pool is sufficient. The second view is that the current size needs to be expanded to cater for unforeseen circumstances (includes but is not limited to terrorist attacks, flight disruptions, state of emergency, civil war, etc) that could render a majority of the 21 TCRs unable to attend to their responsibilities. The possibility of having signing at the same time in either the same country or different countries or frequency of signing could also exhaust reserves leading to overburdening these volunteers. There might be some merit in expanding the pool and retaining the TCRs whilst rotating them from within the pool of candidate TCRs.
3. Should there be a minimum level of participation required of a TCR in order to be considered to be successfully discharging their duties?
The community believes that TCRs should meet the existing criteria merited of what would comprise a responsible TCR. TCRs should actively engage by writing reports which are made public. Minimum participation should include, attendance, engagement, carrying out responsibilities, writing full and thorough reports and listing concerns if any.
4. There is no standard provision to refresh the list of TCRs except when they are replaced due to inability to effectively perform their function. Should there be a process to renew the pool of TCRs, such as using term limits or another rotation mechanism?
There are two views on this matter. The first view is that the existing pool and their indefinite terms are sufficient and that the 21 TCRs are more than enough to meet possible contingencies that may arise. That there is no need for process to renew the pool neither of TCRs nor to use term limits or introduce a rotation mechanism.
The other view is that there is a need for term limits as the original TCR mechanism is silent on the term. Given the Internet reaches an estimated 2.6 billion users all over the world, there should be enough candidates able to meet the criteria of being a TCR. The number of candidate or backup TCRs can also be increased. Regardless, where there is an assumption of indefinite service as a TCR, there should be a constant requirement to disclose any and all potential conflicts of interest to disable the risk of “capture” by any stakeholder or interest.
5. The current model does not compensate TCRs for their services in order to
ensure their independence from ICANN.
a. Should the model of TCRs paying the costs of their participation be retained?
b. Would some form of compensation to offset the expenses incurred by the TCRs detract from their independence in performing the role?
c. If you support compensating TCRs for their expenses, are there requirements or limitations on whom the funding organization should be?
There are two divergent views in relation to this. The first view holds that the current model where TCRs pay the costs should be retained. TCRs should be cost-neutral for those not supported by firms or other entities should suffice. To create another source of travel funds for TCRs is poor and unwarranted.
The second view acknowledges the financial burden placed on TCRs. Although TCRs are volunteers, a system should be set in place that guarantees independence yet allows them to carry out their duty. A fund should be managed externally that is independent that can cater for the expenses of the TCRs.There should be limitations on those who can contribute to this fund. Any funds or gifts being awarded to the TCR should be promptly and formally disclosed through appropriate avenues. One of the suggestions for possible funding model is where ICANN sets up the fund as in the case of the Office of the Independent Objector (IO) where ICANN does not interfere with the decisions of the (IO).
FIRST DRAFT SUBMITTED
Background
The Affirmation of Commitment describes the Internet as a transformative technology that empowers people around the globe, spurs innovation, facilitates trade and commerce, and enables the free and unfettered flow of information[1]. One of the elements of the Internet's success is a highly decentralized network that enables and encourages decision-making at a local level. Notwithstanding this decentralization, global technical coordination of the Internet's underlying infrastructure - the Domain Name System[2] (DNS) - is required to ensure interoperability[3].
DNS Security Extensions[4] (DNSSEC) is a protocol that is currently being deployed to secure the Domain Name System (DNS), the Internet’s global phone book. DNSSEC adds security to the DNS by incorporating public key cryptography into the DNS hierarchy, resulting in a single, open, global Public Key Infrastructure (PKI) for domain names.
In DNSSEC a secure response to a query is one which is cryptographically signed and validated. An individual signature is validated by following a chain of signatures to a key which is trusted for some extra-protocol reason. ICANN, as IANA Functions Operator, is responsible for the publication of trust anchors[5] for the root zone of the Domain Name System.
Since July 2010, the DNS Root Zone has been secured using DNSSEC. The model of using DNSSEC in the DNS Root Zone revolves around a "key signing key" (KSK) that is managed by ICANN in two secure facilities. Four times a year, a ceremony is conducted at these facilities to perform operations involving the KSK. As a key part of this process, a minimum of three from a pool of 21 trusted community representatives (TCRs) attend each ceremony to enable access to the secure materials, to witness the procedure, and to attest that the ceremony was conducted properly.
Questions for the At Large
- Is the current TCR model effectively performing its function of ensuring trust in the KSK management process?
- Is the current size of the TCR pool appropriate to ensure sufficient participation in the ceremonies, while not overburdening the availability of specific volunteers?
- Should there be a minimum level of participation required of a TCR in order to be considered to be successfully discharging their duties?
- There is no standard provision to refresh the list of TCRs except when they are replaced due to inability to effectively perform their function. Should there be a process to renew the pool of TCRs, such as using term limits or another rotation mechanism?
- The current model does not compensate TCRs for their services in order to ensure their independence from ICANN.
- Should the model of TCRs paying the costs of their participation be retained?
- Would some form of compensation to offset the expenses incurred by the TCRs detract from their independence in performing the role?
- If you support compensating TCRs for their expenses, are there requirements or limitations on whom the funding organization should be?
DRAFT ALAC STATEMENT
Introduction
The At Large Community recognizes the role and significance that the DNS plays in ensuring interoperability. We recognize the importance of DNSSEC in the security, stability and resiliency of the Internet in the root zone and the subsequent deployment in DNS Infrastructure. Noting that to date there are 427 TLDs in the root zone of which 235 are signed and that 229 have trust anchors published in the DS records in the root zone whilst 4 TLDs have trust anchors published in the ISC DLV Repository, we hope that in time more TLDs will move towards having trust anchors published.
The Root Zone Key Signing Ceremony points to one of ICANN’s most sacred functions of preserving accountability and transparency in the manner in which it conducts its DNSSEC Key Signing Ceremonies. We would like to congratulate all the stakeholders involved in the KSK management process on the services since the first KSK signing ceremony till to date. We welcome the opportunity to contribute to the Review of Trusted Community Representation in Root Zone DNSSEC Key Signing Ceremonies.
We believe that the current Trusted Community Representative (TCR) model has been effectively performing its functions of ensuring trust in the KSK management process. We would like to suggest a few additional processes that could complement the existing process. The original TCR proposal is silent on the term. Where there is an assumption of indefinite service as a TCR, there should be a constant requirement to disclose any and all potential conflicts of interest to disable the risk of “capture” by any stakeholder or interest.
We note that there is a financial burden placed on the TCR although they are volunteers and a system should be set in place that guarantees independence yet allows for ease in carrying out their duty. A fund should be managed externally that is independent that can cater for the expenses of the TCRs.There should be limitations on those who can contribute. Any funds or gifts being awarded to the TCR should be promptly and formally disclosed through appropriate avenues.
The At Large community is curious as to whether the TCR who resigned did so because of an inability to continue in his or her role due to arising conflict, lack of finances etc. The current size of the TCR pool needs to be expanded to ensure that there is sufficient participation in ceremonies as ICANN should account for the remote possibility of mass unavailability due to random unforeseen circumstances. There might be some merit in expanding the pool and retaining the TCRs whilst rotating them from within the pool.
21 Comments
Salanieta Tamanikaiwaimaro
Background
The Affirmation of Commitment describes the Internet as a transformative technology that empowers people around the globe, spurs innovation, facilitates trade and commerce, and enables the free and unfettered flow of information[1]. One of the elements of the Internet's success is a highly decentralized network that enables and encourages decision-making at a local level. Notwithstanding this decentralization, global technical coordination of the Internet's underlying infrastructure - the Domain Name System[2] (DNS) - is required to ensure interoperability[3].
DNS Security Extensions[4] (DNSSEC) is a protocol that is currently being deployed to secure the Domain Name System (DNS), the Internet’s global phone book. DNSSEC adds security to the DNS by incorporating public key cryptography into the DNS hierarchy, resulting in a single, open, global Public Key Infrastructure (PKI) for domain names.
In DNSSEC a secure response to a query is one which is cryptographically signed and validated. An individual signature is validated by following a chain of signatures to a key which is trusted for some extra-protocol reason. ICANN, as IANA Functions Operator, is responsible for the publication of trust anchors[5] for the root zone of the Domain Name System.
Since July 2010, the DNS Root Zone has been secured using DNSSEC. The model of using DNSSEC in the DNS Root Zone revolves around a "key signing key" (KSK) that is managed by ICANN in two secure facilities. Four times a year, a ceremony is conducted at these facilities to perform operations involving the KSK. As a key part of this process, a minimum of three from a pool of 21 trusted community representatives (TCRs) attend each ceremony to enable access to the secure materials, to witness the procedure, and to attest that the ceremony was conducted properly.
Questions for the At Large
1. Is the current TCR model effectively performing its function of ensuring trust
in the KSK management process?
2. Is the current size of the TCR pool appropriate to ensure sufficient
participation in the ceremonies, while not overburdening the availability of
specific volunteers?
3. Should there be a minimum level of participation required of a TCR in order
to be considered to be successfully discharging their duties?
4. There is no standard provision to refresh the list of TCRs except when they
are replaced due to inability to effectively perform their function. Should
there be a process to renew the pool of TCRs, such as using term limits or
another rotation mechanism?
5. The current model does not compensate TCRs for their services in order to
ensure their independence from ICANN.
a. Should the model of TCRs paying the costs of their participation be retained?
b. Would some form of compensation to offset the expenses incurred by the TCRs detract from their independence in performing the role?
c. If you support compensating TCRs for their expenses, are there requirements or limitations on whom the funding organization should be?
DRAFT ALAC STATEMENT
Introduction
The At Large Community recognizes the role and significance that the DNS plays in ensuring interoperability. We recognize the importance of DNSSEC in the security, stability and resiliency of the Internet in the root zone and the subsequent deployment in DNS Infrastructure. Noting that to date there are 427 TLDs in the root zone of which 235 are signed and that 229 have trust anchors published in the DS records in the root zone whilst 4 TLDs have trust anchors published in the ISC DLV Repository, we hope that in time more TLDs will move towards having trust anchors published.
The Root Zone Key Signing Ceremony points to one of ICANN’s most sacred functions of preserving accountability and transparency in the manner in which it conducts its DNSSEC Key Signing Ceremonies. We would like to congratulate all the stakeholders involved in the KSK management process on the services since the first KSK signing ceremony till to date. We welcome the opportunity to contribute to the Review of Trusted Community Representation in Root Zone DNSSEC Key Signing Ceremonies.
We believe that the current Trusted Community Representative (TCR) model has been effectively performing its functions of ensuring trust in the KSK management process. We would like to suggest a few additional processes that could complement the existing process. The original TCR proposal is silent on the term. Where there is an assumption of indefinite service as a TCR, there should be a constant requirement to disclose any and all potential conflicts of interest to disable the risk of “capture” by any stakeholder or interest.
We note that there is a financial burden placed on the TCR although they are volunteers and a system should be set in place that guarantees independence yet allows for ease in carrying out their duty. A fund should be managed externally that is independent that can cater for the expenses of the TCRs.There should be limitations on those who can contribute. Any funds or gifts being awarded to the TCR should be promptly and formally disclosed through appropriate avenues.
The At Large community is curious as to whether the TCR who resigned did so because of an inability to continue in his or her role due to arising conflict, lack of finances etc. The current size of the TCR pool needs to be expanded to ensure that there is sufficient participation in ceremonies as ICANN should account for the remote possibility of mass unavailability due to random unforeseen circumstances. There might be some merit in expanding the pool and retaining the TCRs whilst rotating them from within the pool.
Ends
[1] http://www.icann.org/en/about/agreements/aoc/affirmation-of-commitments-30sep09-en.htm
[2] [RFC 1034] and [RFC1035]
[3] ibid
[4] [RFC4033], [RFC4034], [RFC 4035]
[5] http://data.iana.org/root-anchors/
Olivier Crepin-Leblond
Reading through the documents reporting on the ceremonies, I have noticed two discrepancies which I suggest the ALAC should point out:
Commenting on Sala's draft:
Olivier (in an individual capacity)
Salanieta Tamanikaiwaimaro
Thank you Olivier for your comments.
Alejandro Pisanty
The statement should be expanded to the recognition of the unique combination the key-signing and TCRs make of broad participation, transparency and accountability in order to serve the central function of preserving and enhancing the stability, security and resilience of the DNS, thus engendering widespread trust.
I do not believe ALAC should propose any increase in processes; streamlining should be the direction.
As for support for TCRs, a statement that acting as a TCR should be cost-neutral for those not supported by firms or other entities should suffice. A statement in very restrained terms would go counter to the possibility that the draft be read as suggesting the poorly warranted creation of yet another source of travel funds.
Matt Ashtiani
Silvia Vivanco
COMMENT POSTED BY STAFF ON BEHALF OF FATIMA CAMBRONERO
Regarding the ALAC statement about Review of Trusted Community Representation in Root Zone DNSSEC Key Signing Ceremonies and based on the comments made in LACRALO, these are the main points to be included in the ALAC statement.
-We agree that the signing process of cryptographic keys that are at the basis of the DNSSEC reliability is of great importance.
-The word "sacred" could be changed to "solemn" because it is a solemnity and its compliance is an essential requirement to the KSK process.
-We believe that the whole process of the ceremony itself is a guarantee of transparency and protection of users. It should be expressed more clearly how this issue may affect Internet users.
-The statement should be expanded to the recognition of the unique combination the key-signing and TCRs make of broad participation, transparency and accountability in order to serve the central function of preserving and enhancing the stability, security and resilience of the DNS, thus engendering widespread trust.
-We do not believe ALAC should propose any increase in processes; streamlining should be the direction. We also consider it is not necessary to increase the number of TCR. This number is reasonable. These members were selected according to clear rules and ensuring compliance with requirements.
-As for support for TCRs, a statement that acting as a TCR should be cost-neutral for those not supported by firms or other entities should suffice. A statement in very restrained terms would go counter to the possibility that the draft be read as suggesting the poorly warranted creation of yet another source of travel funds. We consider it important to maintain the independence and accountability of the process that is being controlled.
- We believe that the entire last paragraph of the statement should be removed. We don't agree with the reference to the "curiosity" of ALAC. That's something should not of interest to ALAC. Also we don't agree to expand the pool of TCR.
Please take these comments into account to be included in the aforementioned statement.
Fatima Cambronero
Salanieta Tamanikaiwaimaro
Dear Fatima,
Thank you for your comments. I am in the process of drafting and edited version of the previous statement and will alert the community to place their final comments and tweaking before this is closed by Staff and sent to the ALAC.
Thank you Sylvia for placing the comments on the wiki - much appreciated.
Kind Regards,
Sala
Tags @Fatima @Oliver @Alejandro
Olivier Crepin-Leblond
I note that there have been several concerns about "increase in processes". I am not sure why the draft mentions an increase - all I see is a suggestion that Terms are limited and/or that full continuous disclosure is needed. That's not an increase in process but certainly is an increase in transparency that serves the public interest.
I understand Alejandro's suggested use of terms to describe cost neutrality. Indeed, suggesting "travel budgets" touches on a raw nerve for some critics.
Olivier
Salanieta Tamanikaiwaimaro
I am currently editing the previous statement and will try to factor in the considerations and issues raised by all. As soon as it is ready it will be posted here to invite the community for some final feedback before it is consolidated and put to the ALAC.
Olivier Crepin-Leblond
Copied from the At-Large mailing list, for the record:
Salanieta Tamanikaiwaimaro
Comments from Aida Noblia via email on February 8
On 08/02/2014 07:30, Salanieta T. Tamanikaiwaimaro wrote:
> There are 2.6 billion internet users should indicate that there are at
> least sufficient persons in the world who could meet the criteria for
> selection."
> --> With 2.6 billion Internet users in the world, there should be enough
> people in the world who could meet the criteria for selection
much of an improvement on the sentence.
Perhaps it needs to be re-phrased better than my suggestion. Please feel
free to improve it. :-)
Kind regards,
Olivier
I agree that the costs could be paid by others. The point was that ICANN
will not pay because it is part of the ceremony and to maintain the
objectivity of the TCR, which were not involved and witnessing part at a
time.
Regards
There could be a funding mechanism set up by ICANN which would give TCRs
independence from ICANN.
See IO office for an example.
be welcome in the Comment.
Kind regards,
Olivier
Comments from Aida Noblia via email on February 9
Maybe it could be .. would have to be something independent because for
example if Verisign understand that finance is not for being the company
that makes the technical part. I do not remember where I read the
suggestion that it could be an independent body and put sample Unesco.
Aída
Editor's comments
I have tried to factor in people's comments save for the use of the UNESCO model. Changes have been highlighted in blue and are in "bold" for ease of reading. I will ask Staff to replace the previous version with this but to remove the bold and the "color blue" so it is a cleaned edited version. I will also send them a word document via email for their records and alternatively for ease of copying into the final statement space.
Many thanks to the global At Large community for engaging in the discussions and allowing us to have a voice into the statement.
THIS IS THE FURTHER REVISED DRAFT OF THE STATEMENT
Background
The Affirmation of Commitment describes the Internet as a transformative technology that empowers people around the globe, spurs innovation, facilitates trade and commerce, and enables the free and unfettered flow of information[1]. One of the elements of the Internet's success is a highly decentralized network that enables and encourages decision-making at a local level. Notwithstanding this decentralization, global technical coordination of the Internet's underlying infrastructure - the Domain Name System[2] (DNS) - is required to ensure interoperability[3].
DNS Security Extensions[4] (DNSSEC) is a protocol that is currently being deployed to secure the Domain Name System (DNS), the Internet’s global phone book. DNSSEC adds security to the DNS by incorporating public key cryptography into the DNS hierarchy, resulting in a single, open, global Public Key Infrastructure (PKI) for domain names.
In DNSSEC a secure response to a query is one which is cryptographically signed and validated. An individual signature is validated by following a chain of signatures to a key which is trusted for some extra-protocol reason. ICANN, as IANA Functions Operator, is responsible for the publication of trust anchors[5] for the root zone of the Domain Name System.
Since July 2010, the DNS Root Zone has been secured using DNSSEC. The model of using DNSSEC in the DNS Root Zone revolves around a "key signing key" (KSK) that is managed by ICANN in two secure facilities. Four times a year, a ceremony is conducted at these facilities to perform operations involving the KSK. As a key part of this process, a minimum of three from a pool of 21 trusted community representatives (TCRs) attend each ceremony to enable access to the secure materials, to witness the procedure, and to attest that the ceremony was conducted properly.
Introduction
The At Large Community recognizes the role and significance that the DNS plays in ensuring interoperability. We recognize the importance of DNSSEC in the security, stability and resiliency of the Internet in the root zone and the subsequent deployment in DNS Infrastructure. Noting that at the time this statement was written there were 427 TLDs in the root zone of which 235 are signed and that 229 have trust anchors published in the DS records in the root zone whilst 4 TLDs have trust anchors published in the ISC DLV Repository, we hope that in time more TLDs will move towards having trust anchors published.
The Root Zone Key Signing Ceremony points to one of ICANN’s important functions of preserving accountability and transparency in the manner in which it conducts its DNSSEC Key Signing Ceremonies.
We recognize the unique combination the key-signing and TCRs make of broad participation, transparency and accountability in order to serve the central function of preserving and enhancing the stability, security and resilience of the DNS, thus engendering widespread trust.
We would like to congratulate all the stakeholders involved in the KSK management process on the services since the first KSK signing ceremony till to date. We welcome the opportunity to contribute to the Review of Trusted Community Representation in Root Zone DNSSEC Key Signing Ceremonies. Following consultations with the At Large community along the questions that was raised, we found that on some issues there was divergence of views and we have captured both views.
1. Is the current TCR model effectively performing its function of ensuring trust
in the KSK management process?
The current Trusted Community Representative (TCR) model has been effectively performing its functions of ensuring trust in the KSK management process; however, we make the following observations.
The Abbreviation Draft of the Key Signing Ceremony Annotated Scripts, which provides a permanent trusted record of the Ceremony, does not include a definition for "EW" when these appear to be sometimes the largest number of category of people at the Ceremony. The Key Signing Ceremony Annotates Scripts do not clearly state that there are no other participants (including Camera person) present apart from those listed.
2. Is the current size of the TCR pool appropriate to ensure sufficient
participation in the ceremonies, while not overburdening the availability of
specific volunteers?
There are two different views on this. The first view is that the current size of the TCR pool is sufficient. The second view suggests that the current size needs to be expanded to cater for unforeseeable circumstances (includes but is not limited to terrorist attacks, flight disruptions, state of emergency, civil war, etc) that could render all 21 TCRs incapable from attending to their responsibilities. The possibility of having signing at the same time in either the same country or different countries or frequency of signing could also exhaust reserves leading to overburdening these volunteers. There might be some merit in expanding the pool and retaining the TCRs whilst rotating them from within the pool.
3. Should there be a minimum level of participation required of a TCR in order
to be considered to be successfully discharging their duties?
The community believes that TCRs should meet the existing criteria merited of what would comprise a responsible TCR. TCRs should actively engage by writing reports which are made public. Minimum participation should include, attendance, engagement, carrying out responsibilities, writing full and thorough reports and listing concerns if any.
4. There is no standard provision to refresh the list of TCRs except when they
are replaced due to inability to effectively perform their function. Should
there be a process to renew the pool of TCRs, such as using term limits or
another rotation mechanism?
There are two views on this matter. The first view is that the existing pool and their indefinite terms are sufficient and that the 21 TCRs are more than enough to meet possible contingencies that may arise. That there is no need for process to renew the pool neither of TCRs nor to use term limits or introduce a rotation mechanism.
The other view is that there is need for term limits as the original TCR mechanism is silent on the term. Rotation would protect against potential capture. The world currently has an estimated population of 2.6 billion internet users. Given the said population of internet users, there would be a fraction of this that would constitute persons who have the technical proficiency to carry out the functions of a TCR from around the world. There is bound to be a sufficient pool of candidates that meet the prerequisites of a TCR. As such, it is possible to draw a larger reserve where persons of character, integrity who also possess all the pertinent skills are selected to facilitate the tasks of a TCR. Where there is an assumption of indefinite service as a TCR, there should be a constant requirement to disclose any and all potential conflicts of interest to disable the risk of “capture” by any stakeholder or interest.
5. The current model does not compensate TCRs for their services in order to
ensure their independence from ICANN.
a. Should the model of TCRs paying the costs of their participation be retained?
b. Would some form of compensation to offset the expenses incurred by the TCRs detract from their independence in performing the role?
c. If you support compensating TCRs for their expenses, are there requirements or limitations on whom the funding organization should be?
There are two divergent views in relation to this. The first view holds that the current model where TCRs pay the costs should be retained. TCRs should be cost-neutral for those not supported by firms or other entities should suffice. To create another source of travel funds for TCRs is poor and unwarranted.
The second view acknowledges the financial burden placed on TCRs. Although TCRs are volunteers, a system should be set in place that guarantees independence yet allows them to carry out their duty. A fund should be managed externally that is independent that can cater for the expenses of the TCRs.There should be limitations on those who can contribute to this fund. Any funds or gifts being awarded to the TCR should be promptly and formally disclosed through appropriate avenues. One of the suggestions for possible funding model is where ICANN sets up the fund as in the case of the Office of the Independent Objector (IO) where ICANN does not interfere with the decisions of the (IO).
Ends
Dev Anand Teelucksingh
Suggested change to the answer in Q1. New words in red, strikethrough in word should be removed
1. Is the current TCR model effectively performing its function of ensuring trust in the KSK management process?
The current Trusted Community Representative (TCR) model has been effectively performing its functions of ensuring trust in the KSK management process; however, we make the following observations.
The Abbreviation Draft of the Key Signing Ceremony Annotated Scripts, which provides a permanent trusted record of the Ceremony, does not include a definition for "EW" when these appear to be sometimes the largest number of category of people at the Ceremony. The Key Signing Ceremony
AnnotatesAnnotated Scripts do not clearly statethatwhether there are no other participants (including Camera person) present apart from those listed.Salanieta Tamanikaiwaimaro
These changes have been made. Thanks Dev for picking up on the grammatical errors.
Dev Anand Teelucksingh
Suggested change to the answer in Q2. New words in red, strikethrough in word should be removed
2. Is the current size of the TCR pool appropriate to ensure sufficient participation in the ceremonies, while not overburdening the availability of specific volunteers?
There are two different views on this. The first view is that the current size of the TCR pool is sufficient.
The second view
suggestsis that the current size needs to be expanded to cater forunforeseeable circumstancesunforeseen situations (includes but is not limited to terrorist attacks, flight disruptions, state of emergency, civil war, etc) that could renderall 21a majority of the TCRsincapable from attendingunable to attend to their responsibilities.The possibility of having signing at the same time in either the same country or different countries or frequency of signing could also exhaust reserves leading to overburdening these volunteers.However, there might be some merit in expanding the pool of candidate TCRs and retaining the TCRs whilst rotating them from within the pool of candidate TCRs.The line "The possibility of having signing at the same time....." is confusing to me. As I understand the Key Signing Ceremony, any such ceremony requires travel by some of 7 Crypto Officers to one of two facilities in the US. I don't think there are simultaneous actions happening at both facilities at the same time. I'll appreciate any clarification on this.
Salanieta Tamanikaiwaimaro
Thanks Dev. ICANN Staff will wait for a bit before they open the call on the statement and will make some adjustments. Many thanks for taking the time to review and contribute. I will accept the changes to the first paragraph on Q.2 but not with what you crossed out as it is a direct contribution from one of the stakeholders and it is simply to hammer the point.
I will not use "However" but will accept the other changes you made by elaborating on which pool.
Dev Anand Teelucksingh
Suggested change to the answer in Q4. New words in red, strikethrough in words should be removed.
4. There is no standard provision to refresh the list of TCRs except when they are replaced due to inability to effectively perform their function. Should there be a process to renew the pool of TCRs, such as using term limits or another rotation mechanism?
There are two views on this matter. The first view is that the existing pool and their indefinite terms are sufficient and that the 21 TCRs are more than enough to meet possible contingencies that may arise. That there is no need for process to renew the pool neither of TCRs nor to use term limits or introduce a rotation mechanism.
The other view is that there is a need for term limits.
as the original TCR mechanism is silent on the term. Rotation would protect against potential capture.The world currently has an estimated population of 2.6 billion internet users. Given the said population of internet users, there would be a fraction of this that would constitute persons who have the technical proficiency to carry out the functions of a TCR from around the world. There is bound to be a sufficient pool of candidates that meet the prerequisites of a TCR. As such, it is possible to draw a larger reserve where persons of character, integrity who also possess all the pertinent skills are selected to facilitate the tasks of a TCR.Given the Internet reaches an estimated 2.6 billion users all over the world, there should be enough candidates able to meet the criteria of being a TCR. Also, the number of candidate or backup TCRs can also be increased.
Regardless, where there is an assumption of indefinite service as a TCR, there should be a constant requirement to disclose any and all potential conflicts of interest to disable the risk of “capture” by any stakeholder or interest.
Salanieta Tamanikaiwaimaro
Comments from Aida Noblia via Email on February 12
Dear Dev and All_
The proportion of the world population and the number of TCR is not
relevant for the purposes of these ceremonies. This ratio is determined by
the specific needs of the ceremony, not proportion the world population.
There are four times in the year they are made ceremonies. To them is
determined by technical rules attending 6 or 8 people out of 21 that are
available. Increased availability does not mean most people in the
ceremonies. The question is not about how many people attend the ceremonies
but many are available for selection.
Kind Regards
Aída
Disclaimer: are only two times a year the ceremonies. There are two
ceremonies at a time, in total there are four ceremonies a year.
Aída
Hola a todos:
Al comentario de Dev: en la wiki:
La línea "La posibilidad de contar con la firma al mismo tiempo ....." es
confuso para mí. Según tengo entendido la ceremonia de firma clave,
cualquier acto requiere viajar por algunos de 7 Oficiales Crypto a una de
las dos instalaciones en los EE.UU.. Creo que no hay acciones simultáneas
que ocurren en ambas instalaciones al mismo tiempo. Voy a apreciar
cualquier aclaración al respecto.
Dev y todos: respecto al pedido de aclaración que Ud hizo sobre que se
hacen dos ceremonias por vez:
El documento "Review of Trusted Community Representation in Root Zone
DNSSEC Key Signing Ceremonies" dice en uno de sus párrafos Pego abajo los
textos y en negrita lo que copie textual.
"De los 21 TCR , siete tienen las credenciales como "oficiales " cripto
(COS) *para cada uno de los dos instalaciones*, y los siete restantes
actúan como "accionistas clave de recuperación " que sólo participar en las
ceremonias en el caso de que el número requerido de las OP no pueden
participar o existe la necesidad de reconstruir el KSK después de un evento
imprevisto. *De los siete* objetores de conciencia *para cada instalación*,
ICANN espera tener *cuatro asisten cada ceremonia* ."
En otro de los documentos de IANA, está más detallado y dice que ambas
ceremonias serán en dos diferentes lugares de un mismo país, al que
menciona, y aclara que una en la zona Este y otra en la zona Oeste. Estoy
buscando en cuál de los documentos leí esto. Es en el referido
específicamente a las ceremonias de la KSK. No recuerdo si es un txt..
refieren a normas técnicas de seguridad informática.
"Of the 21 TCRs, seven are credentialed as "crypto officers" (COs)* for
each of the two*
*facilities*, and the remaining seven act as "recovery key shareholders"
who only
participate in ceremonies in the event the requisite number of COs are
unable to
participate or there is a need to rebuild the KSK following an unforeseen
event. Of
the seven COs for each facility, ICANN aims to have *four attend each
ceremony.*."
In other documents IANA, is more detailed and it says both ceremonies will
be in two different places in the same country, which mentions and
clarifies that in the east and another in the west. I am looking at which
of the documents I read this. It is specifically referred to in the
ceremonies of the KSK. I do not remember if it's a txt .. refer to
technical standards of information security.
Saludos a todos
Aída
"
Email from Dev Anand Teelucksingh via email February 12
Thanks Aida for your attention to this.
I've been reading the document titled
"DNSSEC Root Zone High Level Technical Architecture" at
http://www.root-dnssec.org/wp-content/uploads/2010/06/draft-icann-dnssec-arch-v1dot4.pdf
pages 8 to 10 talks about the Key Signing Key (KSK) Ceremonies.
Some excerpts:
"The ceremonies will alternate between mirror sites to exercise their
operational readiness in case of emergency.....
....Once a new KSK is generated during a key generation ceremony, it is
backed up in
encrypted form on a smart card and distributed to the mirror site for
import and storage.
The key ceremony is inclusive of these events and is not deemed complete
until they
have all been performed. Key signing ceremonies (during which the contents
of the KSR are signed) are
more frequent than KSK generation ceremonies and, though they alternate
between sites,
a given signing ceremony does not involve the corresponding mirror site."
"The KSKs for the DNSSEC root zone system will be maintained at two offline
sites
each mirroring the other in functionality. To meet DoC requirements, the
two sites
maintaining the private half of the KSKs will be geographically dispersed
and within the
United States: one in Los Angeles, California (near ICANN headquarters) and
the other
outside the metropolitan Washington, D.C. area"
Therefore, this document indicates that the two facilities are NOT used at
the same time for any ceremony, but rather alternates between the two
venues.
Kind Regards,
Dev Anand
Thanks Dev for direction and clarification. That's where I read it.
Actually I never thought I will use the facilities for any kind of
ceremonies independent of each other, but there is as two complementary
parts are related. I think that says mirror for a ceremony. I'm not a
computer technician.
This topic is highly regulated by technical standards and Verisign company
offering computer security.
Regarding the TCR think it is important to note that the amount is
sufficient to meet the requirements and that of 21 selected 6 or 8. If a
ceremony without the other as you mention can be done with more reason is
that I do not need more than 21 TCR.
Greetings to all
Salanieta Tamanikaiwaimaro
Thank you Dev for these edits. I like the revised version with the population and ratio. I will also see what Aida's comments were but for the most part we should be good to wrap this up soon.
Salanieta Tamanikaiwaimaro
Editor's Notes
This is the revised version following comments from Dev and Aida. The Community is invited to see if there is consensus on the draft as it stands now. We have a very minute window for adjustments before this goes to the ALAC.
Further Revised Draft ALAC Statement on Review of TCR Mechanism dated 12th February, 2014
Background
The Affirmation of Commitment describes the Internet as a transformative technology that empowers people around the globe, spurs innovation, facilitates trade and commerce, and enables the free and unfettered flow of information[1]. One of the elements of the Internet's success is a highly decentralized network that enables and encourages decision-making at a local level. Notwithstanding this decentralization, global technical coordination of the Internet's underlying infrastructure - the Domain Name System[2] (DNS) - is required to ensure interoperability[3].
DNS Security Extensions[4] (DNSSEC) is a protocol that is currently being deployed to secure the Domain Name System (DNS), the Internet’s global phone book. DNSSEC adds security to the DNS by incorporating public key cryptography into the DNS hierarchy, resulting in a single, open, global Public Key Infrastructure (PKI) for domain names.
In DNSSEC a secure response to a query is one which is cryptographically signed and validated. An individual signature is validated by following a chain of signatures to a key which is trusted for some extra-protocol reason. ICANN, as IANA Functions Operator, is responsible for the publication of trust anchors[5] for the root zone of the Domain Name System.
Since July 2010, the DNS Root Zone has been secured using DNSSEC. The model of using DNSSEC in the DNS Root Zone revolves around a "key signing key" (KSK) that is managed by ICANN in two secure facilities. Four times a year, a ceremony is conducted at these facilities to perform operations involving the KSK. As a key part of this process, a minimum of three from a pool of 21 trusted community representatives (TCRs) attend each ceremony to enable access to the secure materials, to witness the procedure, and to attest that the ceremony was conducted properly.
Introduction
The At Large Community recognizes the role and significance that the DNS plays in ensuring interoperability. We recognize the importance of DNSSEC in the security, stability and resiliency of the Internet in the root zone and the subsequent deployment in DNS Infrastructure. Noting that at the time this statement was written there were 427 TLDs in the root zone of which 235 are signed and that 229 have trust anchors published in the DS records in the root zone whilst 4 TLDs have trust anchors published in the ISC DLV Repository, we hope that in time more TLDs will move towards having trust anchors published.
The Root Zone Key Signing Ceremony points to one of ICANN’s important functions of preserving accountability and transparency in the manner in which it conducts its DNSSEC Key Signing Ceremonies.
We recognize the unique combination the key-signing and TCRs make of broad participation, transparency and accountability in order to serve the central function of preserving and enhancing the stability, security and resilience of the DNS, thus engendering widespread trust.
We would like to congratulate all the stakeholders involved in the KSK management process on the services since the first KSK signing ceremony till to date. We welcome the opportunity to contribute to the Review of Trusted Community Representation in Root Zone DNSSEC Key Signing Ceremonies. Following consultations with the At Large community along the questions that was raised, we found that on some issues there was divergence of views and we have captured both views.
1. Is the current TCR model effectively performing its function of ensuring trust
in the KSK management process?
The current Trusted Community Representative (TCR) model has been effectively performing its functions of ensuring trust in the KSK management process; however, we make the following observations.
The Abbreviation Draft of the Key Signing Ceremony Annotated Scripts, which provides a permanent trusted record of the Ceremony, does not include a definition for "EW" when these appear to be sometimes the largest number of category of people at the Ceremony. The Key Signing Ceremony Annotated Scripts do not clearly state whether there are no other participants (including Camera person) present apart from those listed.
2. Is the current size of the TCR pool appropriate to ensure sufficient
participation in the ceremonies, while not overburdening the availability of
specific volunteers?
There are two different views on this. The first view is that the current size of the TCR pool is sufficient. The second view is that the current size needs to be expanded to cater for unforeseen circumstances (includes but is not limited to terrorist attacks, flight disruptions, state of emergency, civil war, etc) that could render a majority of the 21 TCRs unable to attend to their responsibilities. The possibility of having signing at the same time in either the same country or different countries or frequency of signing could also exhaust reserves leading to overburdening these volunteers. There might be some merit in expanding the pool and retaining the TCRs whilst rotating them from within the pool of candidate TCRs.
3. Should there be a minimum level of participation required of a TCR in order
to be considered to be successfully discharging their duties?
The community believes that TCRs should meet the existing criteria merited of what would comprise a responsible TCR. TCRs should actively engage by writing reports which are made public. Minimum participation should include, attendance, engagement, carrying out responsibilities, writing full and thorough reports and listing concerns if any.
4. There is no standard provision to refresh the list of TCRs except when they
are replaced due to inability to effectively perform their function. Should
there be a process to renew the pool of TCRs, such as using term limits or
another rotation mechanism?
There are two views on this matter. The first view is that the existing pool and their indefinite terms are sufficient and that the 21 TCRs are more than enough to meet possible contingencies that may arise. That there is no need for process to renew the pool neither of TCRs nor to use term limits or introduce a rotation mechanism.
The other view is that there is a need for term limits as the original TCR mechanism is silent on the term. Given the Internet reaches an estimated 2.6 billion users all over the world, there should be enough candidates able to meet the criteria of being a TCR. The number of candidate or backup TCRs can also be increased. Regardless, where there is an assumption of indefinite service as a TCR, there should be a constant requirement to disclose any and all potential conflicts of interest to disable the risk of “capture” by any stakeholder or interest.
5. The current model does not compensate TCRs for their services in order to
ensure their independence from ICANN.
a. Should the model of TCRs paying the costs of their participation be retained?
b. Would some form of compensation to offset the expenses incurred by the TCRs detract from their independence in performing the role?
c. If you support compensating TCRs for their expenses, are there requirements or limitations on whom the funding organization should be?
There are two divergent views in relation to this. The first view holds that the current model where TCRs pay the costs should be retained. TCRs should be cost-neutral for those not supported by firms or other entities should suffice. To create another source of travel funds for TCRs is poor and unwarranted.
The second view acknowledges the financial burden placed on TCRs. Although TCRs are volunteers, a system should be set in place that guarantees independence yet allows them to carry out their duty. A fund should be managed externally that is independent that can cater for the expenses of the TCRs.There should be limitations on those who can contribute to this fund. Any funds or gifts being awarded to the TCR should be promptly and formally disclosed through appropriate avenues. One of the suggestions for possible funding model is where ICANN sets up the fund as in the case of the Office of the Independent Objector (IO) where ICANN does not interfere with the decisions of the (IO).
Ends
Salanieta Tamanikaiwaimaro
The Statement has just been put to the ALAC for voting and the poll was open minutes ago. Please note that the poll will be open from 11-Feb-2014 23:59 UTC to 17-Feb-2014 23:59 UTC.
Many thanks to all those that contributed. Acknowledgements and Gratitude to the following persons:
Salanieta Tamanikaiwaimaro
For those who missed it, the ALAC voted 12 in favour of the Final Draft Statement. There were no abstentions and no negative votes. This is now closed. Thank you to all who participated in the process through either sharing the information to your ALSes, or soliciting input within the ALSes and RALOs. Many thanks. Finally, thank you to the ALAC for the final outcome. Thank you Staff for facilitating the process. This matter is now officially concluded.