FYI.

If you have comments or questions, please contact Kim or one of the TCRs.

Begin forwarded message:

From: Kim Davies <kim.davies@iana.org>
Subject: [RZERC] Contingency plans for the next Root KSK Ceremony
Date: 26 March 2020 at 01:52:29 GMT
To: "rzerc@icann.org" <rzerc@icann.org>

Colleagues,
 
(Feel free to circulate within your respective groups as you see fit.)
 
The IANA team, and the broader ICANN organization, have been giving significant thought to the Coronavirus pandemic and its impact on root zone KSK operations. Managing the KSK is centred on conducting "key signing ceremonies", where trusted community representatives (TCRs) attend from around the world to witness utilization of the root zone KSK private key. This approach seeks to engender trust in the broader community that the key has not been compromised, in addition to more typical controls such as third-party auditing.
 
In light of world events we have developed contingency plans around how to hold key ceremonies in the short term. To that end, we identified a graduated set of options, in summary:
  1. Hold the next ceremony as planned on April 23, with a quorum of participants globally.
  2. Hold the next ceremony on a different date using only US-based TCRs.
  3. Hold the next ceremony using our disaster recovery procedure, which provides for a staff-only ceremony (i.e. no TCRs would be physically present).
In general, our goal has been to navigate from Option 1, and if that is not possible, Option 2, and so on. However, at this time, our focus is on developing a plan around Option 3.
 
The ceremony is currently scheduled unusually early in the quarter (it is typically held in May), and needs to be held to generate signatures that will be needed in production for July. Our contingency plan is comprised of:
 
  • Holding the ceremony with a bare minimum of staff (approximately 6);
  • Using 3 TCRs’ credentials, either by having their access key transferred to us in a secure manner in advance of the ceremony, or by drilling the safety deposit box that holds their secure elements.
  • Holding the ceremony under typical audit coverage, allowing for remote witnessing of events by all, plus providing additional opportunities for TCRs to stay involved in the process remotely.
  • Signing key materials to cover one or more subsequent quarters, to provide relief from the need to necessarily hold ceremonies later in 2020 if circumstances disallow it. (The additional signatures would be withheld securely until they are needed.)
Our key management facilities were designed with the disaster recovery capability of performing staff-only ceremonies in mind, but this is a significant shift from normal operations and we want to promote broader community awareness of this work. Those directly involved in key ceremonies - the trusted community representatives, our vendors and auditors - have been consulted and are broadly supportive of this effort.
 
Should there be any specific feedback you would like to share with our team, please let me know or respond to this thread. We will take it into consideration as we finalize our plans.
Thank you for your support.