[AfrICANN-discuss] Major Milestone for the Internet and ICANN

[Anne-Rachel Inné]

Major Milestone for the Internet and ICANN

The KSK Key Signing Ceremony is Now Complete

16 June 2010

Today in the small town of Culpeper, Virginia, ICANN technical staff played
host to an unusual and somewhat arcane event. Volunteers from over ten
countries made their way by plane, train and automobile to witness and
participate in the generation of the cryptographic key that will be used to
secure the root zone of the Domain Name System using DNSSEC for the first
time.

During the ceremony, participants were present within a secure facility and
witnessed the preparations required to ensure that the so-called
key-signing-key (KSK) was not only generated correctly, but that almost
every aspect of the equipment, software and procedures associated with its
generation were also verified to be correct and trustworthy. The ceremony
was conducted with the goal of ensuring that there is widespread confidence
throughout the technical Internet community that the root zone, once signed,
can be relied upon to protect users from false information.

Ceremony participants referred to an extremely detailed checklist and were
able to confirm that every aspect of the process was executed exactly as
planned. The entire event was video-recorded simultaneously by three
separate cameras, and ICANN arranged for the whole system to be subject to a
SysTrust audit, a process supported by the archived, unedited video footage
and the legal attestations of key participants.

The path down the long road to Culpeper has required considerable effort and
investment by ICANN, and has benefited from an extremely productive
collaboration between staff at ICANN, VeriSign and the US Department of
Commerce. ICANN, with the help of some talented consultants, has designed
processes that are thought to surpass those of many commercial Certificate
Authorities not only in the degree of openness and transparency in their
design and execution, but also in terms of the security engineering
involved.

The design of the overall system requires ICANN to execute a ceremony like
this one four times per year. The next ceremony is scheduled to take place
on July 12 in El Segundo, California, where ICANN has built a second
facility intended to ensure continuity for the DNS (and hence Internet users
world-wide) in the event of a serious disaster in one location.

All design documentation for the ceremony will be published by ICANN, not
only to promote transparency in the process for the root zone, but also to
act as a valuable reference to any other organization that needs to build
similar systems to support DNSSEC in top-level domains, enterprises, or
anywhere else. The deployment of DNSSEC in the root zone of the DNS will
hence not only act as a catalyst for global DNSSEC deployment because of the
special nature of the root zone, but also because of the design and
engineering investment ICANN is giving back to the wider community.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.afrinic.net/pipermail/africann/attachments/20100617/71d77a27/attachment-0001.htm