[Ssr2-review] FW: [root-ksk-ceremony] [Ext] SV: Root DNSSEC KSK Ceremony 29 Changes

James Gannon james at cyberinvasion.net
Tue Apr 18 19:02:09 UTC 2017 

Hi All,

I'm forwarding this as an example of critical piece of information about the SSR of the unique identifiers system that would be (In my opinion) under our remit but if we exclude PTI from scope then we have no visibility into such key matters.

It struck me a little while ago that we still have not agreed on whether PTI/IANA is in or out of scope for our review, this is a topic that we must come back to. If we look at it from a legal point of view as a wholly owned subsidiary ICANN is responsible for much of PTI as its sole member and due to the interrelationship between the ICANN and PTI budgets there is a clear legal, operational and functional link to ICANN and to discount that would be a huge risk for us in my opinion.

-James


-----Original Message-----
From: root-ksk-ceremony-bounces at icann.org [mailto:root-ksk-ceremony-bounces at icann.org] On Behalf Of Andres Pavez
Sent: Tuesday, April 18, 2017 7:50 PM
To: Anne-Marie Eklund-Löwinder <anne-marie.eklund-lowinder at iis.se>; root-ksk-ceremony at icann.org
Subject: Re: [root-ksk-ceremony] [Ext] SV: Root DNSSEC KSK Ceremony 29 Changes


On 4/18/17, 04:38, "Anne-Marie Eklund-Löwinder"
<anne-marie.eklund-lowinder at iis.se> wrote:

>Dear Andres,

Dear Anne-Marie,

>
>Even though I will not attend to the ceremony in Culpeper next week I 
>am still engaged in the proceedings of the ceremonies and the work 
>surrounding them, before and after.

Absolutely, we will miss you in Culpeper.

>
>I am interested to learn how you (IANA) perform change management in 
>general, and if the audit reports are publicly available. If so, where 
>can I find the documentation of the change process and the reports 
>resulting from an audit (not only the Systrust)?

We have change management process and controls, but are part of the SOC 2 and the report is not public available.

>
>I very much would like to read the audit report from the review of the 
>ksrsigner and other changes made by Snake Hill Labs Inc., and the 
>requirements from which the audit was performed.

Sure, the report is available at
https://data.iana.org/ksk-ceremony/29/PTI-SHL-Independent_Code_Review-Final
.pdf 

The revision was performed following the DPS section 5.8. Life Cycle Technical Controls https://www.iana.org/dnssec/icann-dps.txt

> 
>Is it possible to be more specific on what policies, procedures and 
>audit requirements have been used for the audit (I would appreciate 
>direct pointers to current documents)?
>
>Furthermore it would be interesting to see the protocol from the tests 
>of the new code.

We have an internal information security policy that cover change controls (similar that is in the DPS), a software maintenance procedure (including the github repository) and the audit controls. These documents have been review by PWC as part of the audit. Unfortunately these documents are not public so I cannot pointer to this documents.

>
>Thank you in advance!

No problem, thanks to you. Let me know if you have another question or concerns.

>
>Kind regards,
>

Best regards,

>
>Anne-Marie Eklund Löwinder
>Chief Information Security Officer
>IIS (The Internet Infrastructure Foundation)
>Phone: +46 734 315 310
>https://urldefense.proofpoint.com/v2/url?u=https-3A__www.iis.se&d=DwIFA
>w&c
>=FmY1u3PJp6wrcrwll3mSVzgfkbPSS6sJms7xcl4I5cM&r=foU9Usw18Mt-lQEEtQUqT9Fe
>tK6 
>03awyEWUhExAm2uE&m=AQo2GMLt9bR1a0bJR8b2uAg6LS_fe9LXXWVY2tzcHpM&s=ytY4He
>kYH
>cp3x0LK0idm3XO9K7OFa8Z5mHhdQO9zA_s&e=
>
>We are moving! From 2017-03-27 you'll find us at:
>Visitors: Hammarby Kaj 10D
>Mail: Box 92073, 120 07 Stockholm
>

--
Andres Pavez
Cryptographic Key Manager



>
>
>-----Ursprungligt meddelande-----
>Från: root-ksk-ceremony-bounces at icann.org
>[mailto:root-ksk-ceremony-bounces at icann.org] För Andres Pavez
>Skickat: den 18 april 2017 01:54
>Till: root-ksk-ceremony at icann.org
>Ämne: [root-ksk-ceremony] Root DNSSEC KSK Ceremony 29 Changes
>
>Dear TCRs and Ceremony Participants,
>
>To accomplish the KSK rollover, we have created a new OS DVD release
>KC-20170403 which contains the same OS that the previous release
>(KC-20161014) with the changes we have made in the software component
>(ksrsigner) that we use to sign the KSR along with other changes. This
>changes have been tested with Verisign and also reviewed by Snake Hill
>Labs Inc. to comply with our policies, procedures and audit requirements.
>
>This new OS DVD will be introduced in the upcoming ceremony 29 on April
>27 in Culpeper and also we have made changes in the script based on the
>comments and suggestions we received.
>
>Attached you will find a version of the script that has the changes
>marked in yellow for your convenience.
>
>Below is a summary of the changes:
>
>- Cosmetic corrections: fixing typos, formatting, etc.
>- Removed the figure 1 sample of the ksrsigner output. Since the
>ksrsigner output is printed during the ceremony and also is attached in
>the annotated script.
>- Removed the figure 2 with sample image of the Tamper Evident Bag.
>- Include PGP word list for the verification of the new OS DVD hash and
>also for HSMFDs.
>- Added a new bash script into the OS DVD to calculate, print and compare
>hashes for HSMFDs. This bash script is available in the icann key tools
>source code.
>- Changed printlog bash script to better fit the ksrsigner output in one
>page.
>
>The Pre-Ceremony materials are available at
>https://urldefense.proofpoint.com/v2/url?u=https-3A__data.iana.org_ksk-2Dc
>eremony_29&d=DwIFAw&c=FmY1u3PJp6wrcrwll3mSVzgfkbPSS6sJms7xcl4I5cM&r=foU9Us
>w18Mt-lQEEtQUqT9FetK603awyEWUhExAm2uE&m=AQo2GMLt9bR1a0bJR8b2uAg6LS_fe9LXXW
>VY2tzcHpM&s=hp2ci71OzCcEt39DlsS8XYpP9REQu6JVW7E6-TVKgzQ&e=
>
>Please let me know if you have any questions.
>
>Best regards,
>--
>Andres Pavez
>Cryptographic Key Manager
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4604 bytes
Desc: smime.p7s
URL: <http://mm.icann.org/pipermail/ssr2-review/attachments/20170418/476dd0cf/smime.p7s>
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: ATT00001.txt
URL: <http://mm.icann.org/pipermail/ssr2-review/attachments/20170418/476dd0cf/ATT00001.txt>

More information about the Ssr2-review mailing list