Re: https at ietf.org

[Joe Abley <jabley@hopcount.ca>]

On Monday 25 November 2013 at 21:06, Randy Bush wrote:
> seems to me that if the amazingly elaborate ceremonies around the root
> key do not include m of n needed to open the bottle, with the m and n
> distributed among multiple national juristictions, it is merely security
> theater.


Yes, that was what I was getting at.

The quarterly ceremonies are conducted to provide transparency and accountability for the desired, intended processes during which the KSK is necessarily exposed in order to generate signatures (and other key operations).

Safeguarding the process by which signatures are made is important, and so I would not describe the ceremonies as theatre -- but they are not a complete picture of the protection afforded to the KSK.

In between ceremonies, the copies of the KSK and the credentials by which an HSM can be brought on-line should remain in their respective safes. There is no international panel of trusted witnesses to that, nor could there reasonably be (I wouldn't trust anybody who volunteered to sit in an empty machine room for 361 days of the year watching nothing happen).

ICANN has gone to great lengths with internal process and involvement of external auditors (who scrutinise not only the provided documentation for ceremonies and any other operational access to facilities that was required) but who also consider compensatory controls such as unbroken CCTV footage from facility providers, interviews with relevant staff, alarm logs within the key management facility (and as retrieved from the separate, external central station), access logs at the front security desk, etc.

This is all public information, and has been well described in operational forums globally since around 2009.

Shenanigans with the KSK between ceremonies would involve collusion between ICANN staff, auditors, facility staff, central station staff, and potentially others. In ordinary times I would expect all of there to be too much reputational risk individually and across the board for anybody to even consider acting out of turn. However, these are all American companies, and I don't know how to tell whether they have all individually been instructed to act and conceal their action by order of law.

I recall one American company recently who has started making a point of confirming that they have not been subject to any national security letters in their annual reports, the idea being that they would be unable to make such an assertion if the reverse was true; the precedent and routine facilitates future disclosure-by-omission. Perhaps some or all of these companies might consider doing the same thing.

Anyway, cutting to the chase, despite the fact that I believe the system as a whole is about as well-designed as could be done within the requirements, I think the original question is still reasonable and is still one that should be asked of ICANN. I imagine they would enjoy giving a satisfactory response. The staff concerned are also professional and diligent members of this community and have a track record of welcoming and incorporating change from good suggestions.


Joe