KSK Ceremony Laptop and OS Replacement

[Andres Pavez]

To Whom It May Concern,

The Root Key Signing Key (KSK) Ceremony Laptop and the Operating System (OS) image are an essential part of the KSK ceremony allowing execution of the Key Management Software to create, process and maintain cryptography keys and signatures related to the Domain Name System Security Extensions (DNSSEC).

There are to two duplicate Laptops and OS images on each Key Management Facility (KMF). They were placed into production in 2010 and they are still functioning, but as a conservative approach due laptop’s expected lifetime, new and modern Laptops along with an updated OS image will be placed into production to replace them.

Replacement Process:
The plan is increase the existing four Laptops with additional four new Laptops and an update OS image to be used in parallel for a transitional period to ensure the availability, integrity and transparency of the KSK operations.

Acceptance Testing of the new Laptops and OS image will be performed as an administrative ceremony which does not require activation of an HSM, before of the regularly East and West Coast KSK Ceremonies.

After a period of time using all the new Laptops and OS image with confidence that are functioning correctly and the continuity of the KSK operations will not be compromised, a decommission process for the old Laptops will be employed.

Laptop and OS Specifications:
The Laptops and OS image using in the KSK Ceremonies have been specifically selected to maintain the KSK Ceremonies secure, open and transparent as much as possible.

As part of the requirements, the laptops must not have hard drive and wireless communications. But also, required RJ45 network connection, CD/DVD tray, at least 4 USB and allow it to remove the battery.

Since the Laptop has not hard drive a custom Live OS image is necessary to allow to execute the Key Management Software and since the original OS image is from 2010 does not have the necessary drivers to works with a new generation of Laptops an upgrade of the current OS image is necessary.

The new OS image has been developed in form that is "reproducible" allowing to have the same HASH every time that the OS image is building. This provide a verifiable process to trust that the OS image is coming from a given source. More information and the OS image source code can be found at https://github.com/iana-org/coen 

Thank and best regards,
-- 
Andres Pavez
Cryptographic Key Manager
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4604 bytes
Desc: not available
URL: <http://mm.icann.org/pipermail/root-dnssec-announce/attachments/20180712/e8923c0e/smime.p7s>