[ksk-change] FIPS-140 levels

Paul Hoffman paul.hoffman at vpnc.org
Sun Oct 5 18:41:17 UTC 2014

On Oct 5, 2014, at 11:28 AM, Richard Lamb <richard.lamb at icann.org> wrote:

> Thank you for lending your experience and voice of reason.   I agree that
> from the perspective of our little community (which includes me) that fips
> 140 level 4 is a bit overkill.  

Note that I didn't say "a bit". FIPS-140 levels are progressively more restrictive, and I asked for examples of anything that we even need in level 2 that we do not provide ourselves.

> However, in architecting this system the
> target was a much broader audience with the idea that things like DANE and
> other key-in-dns technologies may someday bootstrap themselves from the DNS.
> Specifically I was thinking of the financial community and how to get their
> buy in.  This is what brings in the AICPA/CICA and the SysTrust audit we
> pass every year.  Again not because there is anything special about this
> process (although I do believe it does help keep ICANN at attention), but
> instead as a necessity to get the buy in from the "suits" of the world as
> without their trust*, I think we only have an expensive experiment.  

The banking community is one which understands physical security better than most. The kinds of things that IANA does for tamper evidence, tamper prevention, and operational role separation are way more effective and constantly provable than a FIPS-140 validation. This is particularly true because you cannot easily verify that a device is operating in "FIPS-140 mode". Banks appreciate proof, and the recording of the ceremonies and of the physical protections do that.

> But I
> am open to discussion and have heard many different suggestions, some very
> clever, on how to better manage the root KSK to both simplify and build
> trust from certain communities - but do not necessarily fit what auditors
> might consider best common practice.

Can you be more specific about the latter? That is, is there an auditor who is saying that IANA needs to conform to "common practice", not the better practice that you have instituted?

> Happy to make happen whatever everyone decides and even have someone change
> my mind that we need to make the accountants and lawyers of the world happy
> to make DNSSEC successful.

It could certainly help to document IANA's current (and expected future) practices in the same terms as what NIST uses for FIPS-140 higher-than-level-1 certification. The folks closest to the process already take some of those things for granted, but the communities you care about will want to hear about them.

--Paul Hoffman
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 455 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://mm.icann.org/pipermail/ksk-rollover/attachments/20141005/b331c876/signature.asc>

More information about the ksk-rollover mailing list