On Monday 25 November 2013 at 21:06, Randy Bush wrote:
seems to me that if the amazingly elaborate ceremonies around the root
key do not include m of n needed to open the bottle, with the m and n
distributed among multiple national juristictions, it is merely security
theater.
Yes, that was what I was getting at.
The quarterly ceremonies are conducted to provide transparency and
accountability for the desired, intended processes during which the KSK is
necessarily exposed in order to generate signatures (and other key operations).
Safeguarding the process by which signatures are made is important, and so I
would not describe the ceremonies as theatre -- but they are not a complete
picture of the protection afforded to the KSK.
In between ceremonies, the copies of the KSK and the credentials by which an
HSM can be brought on-line should remain in their respective safes. There is no
international panel of trusted witnesses to that, nor could there reasonably be
(I wouldn't trust anybody who volunteered to sit in an empty machine room for
361 days of the year watching nothing happen).
ICANN has gone to great lengths with internal process and involvement of
external auditors (who scrutinise not only the provided documentation for
ceremonies and any other operational access to facilities that was required)
but who also consider compensatory controls such as unbroken CCTV footage from
facility providers, interviews with relevant staff, alarm logs within the key
management facility (and as retrieved from the separate, external central
station), access logs at the front security desk, etc.
This is all public information, and has been well described in operational
forums globally since around 2009.
Shenanigans with the KSK between ceremonies would involve collusion between
ICANN staff, auditors, facility staff, central station staff, and potentially
others. In ordinary times I would expect all of there to be too much
reputational risk individually and across the board for anybody to even
consider acting out of turn. However, these are all American companies, and I
don't know how to tell whether they have all individually been instructed to
act and conceal their action by order of law.
I recall one American company recently who has started making a point of
confirming that they have not been subject to any national security letters in
their annual reports, the idea being that they would be unable to make such an
assertion if the reverse was true; the precedent and routine facilitates future
disclosure-by-omission. Perhaps some or all of these companies might consider
doing the same thing.
Anyway, cutting to the chase, despite the fact that I believe the system as a
whole is about as well-designed as could be done within the requirements, I
think the original question is still reasonable and is still one that should be
asked of ICANN. I imagine they would enjoy giving a satisfactory response. The
staff concerned are also professional and diligent members of this community
and have a track record of welcoming and incorporating change from good
suggestions.
Joe