<html>

<head>

<meta http-equiv="Content-Type" content="text/html; charset=utf-8">

</head>

<body style="word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;" class="">

Dear RSSAC Caucus,

<div class=""><br class="">

</div>

<div class="">I’m starting to put together a statement from the RSSAC in response to the Public Comment Proceeding on the Proposal for Future Root Zone KSK Rollovers.</div>

<div class=""><br class="">

</div>

<div class="">I based if off of RSSAC039, but it’s mostly just boilerplate right now.</div>

<div class=""><<a href="https://docs.google.com/document/d/1U1qKPRx9URRfiI4jijvLKSCS2W6upZRDppUsbANqIOg/edit?usp=sharing" class="">https://docs.google.com/document/d/1U1qKPRx9URRfiI4jijvLKSCS2W6upZRDppUsbANqIOg/edit?usp=sharing</a>> <br class="">

<div><br class="">

</div>

<div>One concern I have is in RSSAC039 the RSSAC was very clear in keeping comments within the scope of the RSSAC. See section 2 of RSSAC039.</div>

<div><<a href="https://www.icann.org/en/system/files/files/rssac-039-07aug18-en.pdf" class="">https://www.icann.org/en/system/files/files/rssac-039-07aug18-en.pdf</a>></div>

<div><br class="">

</div>

<div>Some of the comments below I construe as being outside of RSSAC’s scope. Specifically the comments about key breakage and algorithm rolls. I’m having a hard time understanding how key compromise would impact the operation, administration, security, or

 integrity of the RSS. </div>

<div><br class="">

</div>

<div>We could relate these to the operation, administration, security, or integrity of the RSS. For example, if the KSK were compromised it would likely require some kind of emergency procedure take place at IANA, the RZM and RSOs. That kind of emergency procedure

 might be interesting to mention in RSSAC’s statement, but is this what the RSSAC Caucus actually wants to discuss?</div>

<div><br class="">

</div>

<div>—Andrew</div>

<div><br class="">

<blockquote type="cite" class="">

<div class="">On Dec 16, 2019, at 12:04, ABDULKARIM AYOPO OLOYEDE <<a href="mailto:oloyede.aa@unilorin.edu.ng" class="">oloyede.aa@unilorin.edu.ng</a>> wrote:</div>

<br class="Apple-interchange-newline">

<div class="">

<div dir="ltr" class="">

<div dir="ltr" class="">Hi Fred,

<div class="">I agree with you. It should be from the group if we majorly agree that they are valid observation which I think they are.</div>

<div class="">Thanks</div>

<div class="">AK</div>

</div>

<br class="">

<div class="gmail_quote">

<div dir="ltr" class="gmail_attr">On Mon, Dec 16, 2019 at 4:55 AM Fred Baker <<a href="mailto:fred@isc.org" class="">fred@isc.org</a>> wrote:<br class="">

</div>

<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">

I'm pulling together comments that we might make. I am including who said them, because we said that Caucus contributions would be attributable to their source. Speaking for myself, I would rather have the comments be considered to have been made by the committee,

 which is to say without attribution. If that's a general viewpoint, let me know.<br class="">

<br class="">

George Michaelson:<br class="">

The proposal should address algorithm rollover. As that is considered out of scope for this version, propose for the next change.<br class="">

<br class="">

The proposal should include measurement. (George: specifically what would you like to measure?)<br class="">

<br class="">

The alternate/replacement key pre-gen stuff is forward-thinking, and good.<br class="">

<br class="">

Paul Muchene:<br class="">

Phase D, the KSK standby state, it potentially invites an attacker to exploit possible vulnerabilities with either the properties of the key or key generation algorithm.<br class="">

<br class="">

If phase D could be reduced a reasonably shorter duration (1-1.5 years) this problem could be mitigated. However, if this duration is pretty short and will inconvenience the dissemination of the KSK to OS and DNS software vendors, then considerations should

 be proposed for using a longer KSK key length of 3072-bit RSA. <br class="">

<br class="">

Dessalegn Yehuala<br class="">

Section 2.4 seems to give a soft rationale for the rollover frequency. Arguments exist for a longer or a shorter interval, and these arguments don't seem to be strong enough to make a firm choice.<br class="">

<br class="">

Section 2.6 assumes current state of the strength of the current cryptographic algorithm employed for the KSK (2048-bit RSA), there is no risk mitigation identified in the event the current cryptographic algorithm discovered to have some exploitable vulnerabilities.

<br class="">

<br class="">

Fred Baker: in that context, researchers from KeyFactor presented a paper at First IEEE Conference on Trust, Privacy, and Security that reported that one in 172 RSA certificates certified keys for which the private key could be derived from the public key.

<br class="">

<br class="">

Davey Song: Suggests changing to an ECC algorithm rather than changing to a 3072 bit key.<br class="">

<br class="">

There should be a predictable timeline for algorithm rollover and as a result a advance timeline for study, review, and testing work on this.

<br class="">

_______________________________________________<br class="">

rssac-caucus mailing list<br class="">

<a href="mailto:rssac-caucus@icann.org" target="_blank" class="">rssac-caucus@icann.org</a><br class="">

<a href="https://mm.icann.org/mailman/listinfo/rssac-caucus" rel="noreferrer" target="_blank" class="">https://mm.icann.org/mailman/listinfo/rssac-caucus</a><br class="">

<br class="">

_______________________________________________<br class="">

By submitting your personal data, you consent to the processing of your personal data for purposes of subscribing to this mailing list accordance with the ICANN Privacy Policy (<a href="https://urldefense.proofpoint.com/v2/url?u=https-3A__www.icann.org_privacy_policy&d=DwMFaQ&c=FmY1u3PJp6wrcrwll3mSVzgfkbPSS6sJms7xcl4I5cM&r=KNEpS67O2txk54bIz-1lXP0tI5Rmtg88Ogwh6PVSGXJyTMuY0E2SHr70jrG3fGLJ&m=TknxMoOgHoE-bpoXrliyAKJCzoYw0WTQHHTYstBDwCw&s=6Ofcp8ySjIV4PyxmOHryNSEfdtF20RIPr4_vkIqkGBo&e=" rel="noreferrer" target="_blank" class="">https://www.icann.org/privacy/policy

 [icann.org]</a>) and the website Terms of Service (<a href="https://urldefense.proofpoint.com/v2/url?u=https-3A__www.icann.org_privacy_tos&d=DwMFaQ&c=FmY1u3PJp6wrcrwll3mSVzgfkbPSS6sJms7xcl4I5cM&r=KNEpS67O2txk54bIz-1lXP0tI5Rmtg88Ogwh6PVSGXJyTMuY0E2SHr70jrG3fGLJ&m=TknxMoOgHoE-bpoXrliyAKJCzoYw0WTQHHTYstBDwCw&s=FyQnELgohgCoFpJyRerG5q4TaQNzy1zBhXuc20WoxQc&e=" rel="noreferrer" target="_blank" class="">https://www.icann.org/privacy/tos

 [icann.org]</a>). You can visit the Mailman link above to change your membership status or configuration, including unsubscribing, setting digest-style delivery or disabling delivery altogether (e.g., for a vacation), and so on.<br class="">

</blockquote>

</div>

<br clear="all" class="">

<div class=""><br class="">

</div>

<div dir="ltr" class="gmail_signature">

<div dir="ltr" class="">

<div class="">

<div dir="ltr" class="">

<div dir="ltr" class="">

<div dir="ltr" class="">

<div dir="ltr" class="">

<div dir="ltr" class="">

<div dir="ltr" class="">

<div dir="ltr" class="">

<div dir="ltr" class="">

<div dir="ltr" class="">

<div dir="ltr" class="">

<div style="font-size:small" class=""><br class="">

</div>

</div>

</div>

</div>

</div>

</div>

</div>

</div>

</div>

</div>

</div>

</div>

</div>

</div>

</div>

<br class="">

<div class=""><a href="https://urldefense.proofpoint.com/v2/url?u=http-3A__www.unilorin.edu.ng&d=DwMFaQ&c=FmY1u3PJp6wrcrwll3mSVzgfkbPSS6sJms7xcl4I5cM&r=KNEpS67O2txk54bIz-1lXP0tI5Rmtg88Ogwh6PVSGXJyTMuY0E2SHr70jrG3fGLJ&m=TknxMoOgHoE-bpoXrliyAKJCzoYw0WTQHHTYstBDwCw&s=QW3g6IgvgNsLfevdIMm0f8e7krZxfgThukGojV5sfOQ&e=" style="font-size:1.3em" target="_blank" class="">Website

 [unilorin.edu.ng]</a><span style="font-size:1.3em" class="">,</span><span style="font-size:1.3em" class=""> </span><span style="font-size:1.3em" class=""><a href="https://urldefense.proofpoint.com/v2/url?u=http-3A__www.unilorin.edu.ng_index.php_bulletin&d=DwMFaQ&c=FmY1u3PJp6wrcrwll3mSVzgfkbPSS6sJms7xcl4I5cM&r=KNEpS67O2txk54bIz-1lXP0tI5Rmtg88Ogwh6PVSGXJyTMuY0E2SHr70jrG3fGLJ&m=TknxMoOgHoE-bpoXrliyAKJCzoYw0WTQHHTYstBDwCw&s=R-cuxY6R_T6-EyiAGeQfcGVbCvJIVYqPUp7xdllYhcU&e=" target="_blank" class="">Weekly

 Bulletin [unilorin.edu.ng]</a> <a href="https://urldefense.proofpoint.com/v2/url?u=http-3A__uilugportal.unilorin.edu.ng_&d=DwMFaQ&c=FmY1u3PJp6wrcrwll3mSVzgfkbPSS6sJms7xcl4I5cM&r=KNEpS67O2txk54bIz-1lXP0tI5Rmtg88Ogwh6PVSGXJyTMuY0E2SHr70jrG3fGLJ&m=TknxMoOgHoE-bpoXrliyAKJCzoYw0WTQHHTYstBDwCw&s=6qWa9ywN9F9hB9z96shmDUNFFRP3D8TiCKI8itl7gaw&e=" target="_blank" class="">UGPortal

 [uilugportal.unilorin.edu.ng]</a> <a href="https://urldefense.proofpoint.com/v2/url?u=https-3A__uilpgportal.unilorin.edu.ng_&d=DwMFaQ&c=FmY1u3PJp6wrcrwll3mSVzgfkbPSS6sJms7xcl4I5cM&r=KNEpS67O2txk54bIz-1lXP0tI5Rmtg88Ogwh6PVSGXJyTMuY0E2SHr70jrG3fGLJ&m=TknxMoOgHoE-bpoXrliyAKJCzoYw0WTQHHTYstBDwCw&s=TpO5SHQq7mG2VnkSOjDUIZGueNsZDJL5YLnBnmeiv_4&e=" target="_blank" class="">

PGPortal [uilpgportal.unilorin.edu.ng]</a></span></div>

<div class=""><br class="">

</div>

_______________________________________________<br class="">

rssac-caucus mailing list<br class="">

<a href="mailto:rssac-caucus@icann.org" class="">rssac-caucus@icann.org</a><br class="">

https://mm.icann.org/mailman/listinfo/rssac-caucus<br class="">

<br class="">

_______________________________________________<br class="">

By submitting your personal data, you consent to the processing of your personal data for purposes of subscribing to this mailing list accordance with the ICANN Privacy Policy (https://urldefense.proofpoint.com/v2/url?u=https-3A__www.icann.org_privacy_policy&d=DwICAg&c=FmY1u3PJp6wrcrwll3mSVzgfkbPSS6sJms7xcl4I5cM&r=KNEpS67O2txk54bIz-1lXP0tI5Rmtg88Ogwh6PVSGXJyTMuY0E2SHr70jrG3fGLJ&m=TknxMoOgHoE-bpoXrliyAKJCzoYw0WTQHHTYstBDwCw&s=6Ofcp8ySjIV4PyxmOHryNSEfdtF20RIPr4_vkIqkGBo&e=

 ) and the website Terms of Service (https://urldefense.proofpoint.com/v2/url?u=https-3A__www.icann.org_privacy_tos&d=DwICAg&c=FmY1u3PJp6wrcrwll3mSVzgfkbPSS6sJms7xcl4I5cM&r=KNEpS67O2txk54bIz-1lXP0tI5Rmtg88Ogwh6PVSGXJyTMuY0E2SHr70jrG3fGLJ&m=TknxMoOgHoE-bpoXrliyAKJCzoYw0WTQHHTYstBDwCw&s=FyQnELgohgCoFpJyRerG5q4TaQNzy1zBhXuc20WoxQc&e=

 ). You can visit the Mailman link above to change your membership status or configuration, including unsubscribing, setting digest-style delivery or disabling delivery altogether (e.g., for a vacation), and so on.</div>

</blockquote>

</div>

<br class="">

</div>

</body>

</html>