Several people either in this circuit or close by made submissions to this effect to ICANN recently.
It's very hard to get traction on this story because there is a lot of "don't prod the bear" regarding things ICANN can and should ask Department of State about, and things which really have moved into "self managed, independent international body" space. The reason there are two HSM east and west coast was because of this kind of national-strategic sensitivity. It would be a low bar (only money) decision to duplicate the investment in Singapore and Geneva, two locations which ICANN has existing investment in, with good secure facilities and accepted by the wider public as "neutral" points.
When the KSK ceremonies started up, several people also pointed out that this "diverse locations" thing was a bit hokey. The response above is my re-write of the kinds of things said to me, at the time. If somebody wants to deny State or any other US federal agency influenced the decision I have no formal proof.
I should add as a declaration of interest I was at Rob's goodbye KSK event, I am a TCR, and I made such a submission this year. I have not received any indication it was understood or read, despite asking for some acknowledgement, but the process wheels in an agency like ICANN run to their own time.
The risk is being told no, and inviting dissent into the independence of ICANN. Not asking, means no risk of being told "no, you do as you're told" which would endanger the whole 3 legged stool. the GAC would immediately question the assumption the US government had that level of signoff, the money flows and lawyers would fire up, it would be come a shitstorm in a teacup.
The least likely outcome of asking the department of state if ICANN is "permitted" to add an HSM outside the USA, is a positive answer.
The most likely path to doing it, is not to assume you have to ask.
It's my personal opinion from beer convos with people in the circuit. As I said I have no firm proofs and you should hedge belief in this by the lack of verifyable facts.
Yes, but we're a long way down "our hands are off it's ICANN now". The exception might be DNSSEC and the verisign contract continuance. I have no complaint against verisign, far from it: their staff are excellent and they are amazingly diligent and risk averse.
But at a contractual level you could ask is there another company which could tender to operate the root publication function, and meet all stakeholder requirements? And, could that company be legally constituted outside the USA?
Possibly. Ex CERN staff have indicated they were dismayed when the address management function went elsewhere in Europe. I know people both sides of this divide, it's ancient history in some ways.
Not sure how geographically diverse it is to have two "highly secure sites" on the same continent.
Several people either in this circuit or close by made submissions to this effect to ICANN recently.
It's very hard to get traction on this story because there is a lot of "don't prod the bear" regarding things ICANN can and should ask Department of State about, and things which really have moved into "self managed, independent international body" space. The reason there are two HSM east and west coast was because of this kind of national-strategic sensitivity. It would be a low bar (only money) decision to duplicate the investment in Singapore and Geneva, two locations which ICANN has existing investment in, with good secure facilities and accepted by the wider public as "neutral" points.
When the KSK ceremonies started up, several people also pointed out that this "diverse locations" thing was a bit hokey. The response above is my re-write of the kinds of things said to me, at the time. If somebody wants to deny State or any other US federal agency influenced the decision I have no formal proof.
I should add as a declaration of interest I was at Rob's goodbye KSK event, I am a TCR, and I made such a submission this year. I have not received any indication it was understood or read, despite asking for some acknowledgement, but the process wheels in an agency like ICANN run to their own time.
What would "poking the bear" do here? What's the risk?
The risk is being told no, and inviting dissent into the independence of ICANN. Not asking, means no risk of being told "no, you do as you're told" which would endanger the whole 3 legged stool. the GAC would immediately question the assumption the US government had that level of signoff, the money flows and lawyers would fire up, it would be come a shitstorm in a teacup.
The least likely outcome of asking the department of state if ICANN is "permitted" to add an HSM outside the USA, is a positive answer.
The most likely path to doing it, is not to assume you have to ask.
Interesting. Thanks!
It's my personal opinion from beer convos with people in the circuit. As I said I have no firm proofs and you should hedge belief in this by the lack of verifyable facts.
Don't we have the '98 DNS ROOT incident as a nice example of what could happen when the bear gets poked?
Yes, but we're a long way down "our hands are off it's ICANN now". The exception might be DNSSEC and the verisign contract continuance. I have no complaint against verisign, far from it: their staff are excellent and they are amazingly diligent and risk averse.
But at a contractual level you could ask is there another company which could tender to operate the root publication function, and meet all stakeholder requirements? And, could that company be legally constituted outside the USA?
CERN?
Given that they contributed one of the key components that made the internet into the success that it is as well as being internationally respected.
Possibly. Ex CERN staff have indicated they were dismayed when the address management function went elsewhere in Europe. I know people both sides of this divide, it's ancient history in some ways.
I worked in another RIR. I still contract there.
There are security concerns having sites outside of America. I prefer keeping them only within my home country.
Equally there are security concerns having sites inside the US.
KMF-East is the Gegenvorschlag, or counterproposed key-management for the resolution of TCP/IP ICANN domain certifications.
DNSSEC requires cycling existing TCR for AES-256 symmetric encryptions or leveraging localised key share cycles.
He should probably update his “About” page on his blog to remove ”I sign the DNSSEC root”, then.