[Ssr2-review] FW: [root-ksk-ceremony] [Ext] SV: Root DNSSEC KSK Ceremony 29 Changes

ALAIN AINA aalain at trstech.net
Wed Apr 19 10:50:30 UTC 2017 

James,

> On Apr 18, 2017, at 11:02 PM, James Gannon <james at cyberinvasion.net> wrote:
> 
> Hi All,
> 
> I'm forwarding this as an example of critical piece of information about the SSR of the unique identifiers system that would be (In my opinion) under our remit but if we exclude PTI from scope then we have no visibility into such key matters.
> 
> It struck me a little while ago that we still have not agreed on whether PTI/IANA is in or out of scope for our review, this is a topic that we must come back to. If we look at it from a legal point of view as a wholly owned subsidiary ICANN is responsible for much of PTI as its sole member and due to the interrelationship between the ICANN and PTI budgets there is a clear legal, operational and functional link to ICANN and to discount that would be a huge risk for us in my opinion.

The  agreements https://pti.icann.org/agreements <https://pti.icann.org/agreements> give more insights on ICANN commitments towards PTI.
As said earlier, i do think this is in scope and is one of the new stuff this review must do compared to SSR1.

As for the root KSK, we will have to deal with it anyway when assessing the security, stability, resiliency of the DNS as required by the the 1st “SHALL do” of the SSR according to the bylaws.


Thanks

—Alain


> 
> -James
> 
> 
> -----Original Message-----
> From: root-ksk-ceremony-bounces at icann.org <mailto:root-ksk-ceremony-bounces at icann.org> [mailto:root-ksk-ceremony-bounces at icann.org <mailto:root-ksk-ceremony-bounces at icann.org>] On Behalf Of Andres Pavez
> Sent: Tuesday, April 18, 2017 7:50 PM
> To: Anne-Marie Eklund-Löwinder <anne-marie.eklund-lowinder at iis.se <mailto:anne-marie.eklund-lowinder at iis.se>>; root-ksk-ceremony at icann.org <mailto:root-ksk-ceremony at icann.org>
> Subject: Re: [root-ksk-ceremony] [Ext] SV: Root DNSSEC KSK Ceremony 29 Changes
> 
> 
> On 4/18/17, 04:38, "Anne-Marie Eklund-Löwinder"
> <anne-marie.eklund-lowinder at iis.se> wrote:
> 
>> Dear Andres,
> 
> Dear Anne-Marie,
> 
>> 
>> Even though I will not attend to the ceremony in Culpeper next week I
>> am still engaged in the proceedings of the ceremonies and the work
>> surrounding them, before and after.
> 
> Absolutely, we will miss you in Culpeper.
> 
>> 
>> I am interested to learn how you (IANA) perform change management in
>> general, and if the audit reports are publicly available. If so, where
>> can I find the documentation of the change process and the reports
>> resulting from an audit (not only the Systrust)?
> 
> We have change management process and controls, but are part of the SOC 2 and the report is not public available.
> 
>> 
>> I very much would like to read the audit report from the review of the
>> ksrsigner and other changes made by Snake Hill Labs Inc., and the
>> requirements from which the audit was performed.
> 
> Sure, the report is available at
> https://data.iana.org/ksk-ceremony/29/PTI-SHL-Independent_Code_Review-Final
> .pdf
> 
> The revision was performed following the DPS section 5.8. Life Cycle Technical Controls https://www.iana.org/dnssec/icann-dps.txt
> 
>> 
>> Is it possible to be more specific on what policies, procedures and
>> audit requirements have been used for the audit (I would appreciate
>> direct pointers to current documents)?
>> 
>> Furthermore it would be interesting to see the protocol from the tests
>> of the new code.
> 
> We have an internal information security policy that cover change controls (similar that is in the DPS), a software maintenance procedure (including the github repository) and the audit controls. These documents have been review by PWC as part of the audit. Unfortunately these documents are not public so I cannot pointer to this documents.
> 
>> 
>> Thank you in advance!
> 
> No problem, thanks to you. Let me know if you have another question or concerns.
> 
>> 
>> Kind regards,
>> 
> 
> Best regards,
> 
>> 
>> Anne-Marie Eklund Löwinder
>> Chief Information Security Officer
>> IIS (The Internet Infrastructure Foundation)
>> Phone: +46 734 315 310
>> https://urldefense.proofpoint.com/v2/url?u=https-3A__www.iis.se&d=DwIFA
>> w&c
>> =FmY1u3PJp6wrcrwll3mSVzgfkbPSS6sJms7xcl4I5cM&r=foU9Usw18Mt-lQEEtQUqT9Fe
>> tK6
>> 03awyEWUhExAm2uE&m=AQo2GMLt9bR1a0bJR8b2uAg6LS_fe9LXXWVY2tzcHpM&s=ytY4He
>> kYH
>> cp3x0LK0idm3XO9K7OFa8Z5mHhdQO9zA_s&e=
>> 
>> We are moving! From 2017-03-27 you'll find us at:
>> Visitors: Hammarby Kaj 10D
>> Mail: Box 92073, 120 07 Stockholm
>> 
> 
> --
> Andres Pavez
> Cryptographic Key Manager
> 
> 
> 
>> 
>> 
>> -----Ursprungligt meddelande-----
>> Från: root-ksk-ceremony-bounces at icann.org
>> [mailto:root-ksk-ceremony-bounces at icann.org] För Andres Pavez
>> Skickat: den 18 april 2017 01:54
>> Till: root-ksk-ceremony at icann.org
>> Ämne: [root-ksk-ceremony] Root DNSSEC KSK Ceremony 29 Changes
>> 
>> Dear TCRs and Ceremony Participants,
>> 
>> To accomplish the KSK rollover, we have created a new OS DVD release
>> KC-20170403 which contains the same OS that the previous release
>> (KC-20161014) with the changes we have made in the software component
>> (ksrsigner) that we use to sign the KSR along with other changes. This
>> changes have been tested with Verisign and also reviewed by Snake Hill
>> Labs Inc. to comply with our policies, procedures and audit requirements.
>> 
>> This new OS DVD will be introduced in the upcoming ceremony 29 on April
>> 27 in Culpeper and also we have made changes in the script based on the
>> comments and suggestions we received.
>> 
>> Attached you will find a version of the script that has the changes
>> marked in yellow for your convenience.
>> 
>> Below is a summary of the changes:
>> 
>> - Cosmetic corrections: fixing typos, formatting, etc.
>> - Removed the figure 1 sample of the ksrsigner output. Since the
>> ksrsigner output is printed during the ceremony and also is attached in
>> the annotated script.
>> - Removed the figure 2 with sample image of the Tamper Evident Bag.
>> - Include PGP word list for the verification of the new OS DVD hash and
>> also for HSMFDs.
>> - Added a new bash script into the OS DVD to calculate, print and compare
>> hashes for HSMFDs. This bash script is available in the icann key tools
>> source code.
>> - Changed printlog bash script to better fit the ksrsigner output in one
>> page.
>> 
>> The Pre-Ceremony materials are available at
>> https://urldefense.proofpoint.com/v2/url?u=https-3A__data.iana.org_ksk-2Dc
>> eremony_29&d=DwIFAw&c=FmY1u3PJp6wrcrwll3mSVzgfkbPSS6sJms7xcl4I5cM&r=foU9Us
>> w18Mt-lQEEtQUqT9FetK603awyEWUhExAm2uE&m=AQo2GMLt9bR1a0bJR8b2uAg6LS_fe9LXXW
>> VY2tzcHpM&s=hp2ci71OzCcEt39DlsS8XYpP9REQu6JVW7E6-TVKgzQ&e=
>> 
>> Please let me know if you have any questions.
>> 
>> Best regards,
>> --
>> Andres Pavez
>> Cryptographic Key Manager
>> 
> <smime.p7s>_______________________________________________
> root-ksk-ceremony mailing list
> root-ksk-ceremony at icann.org <mailto:root-ksk-ceremony at icann.org>
> https://mm.icann.org/mailman/listinfo/root-ksk-ceremony <https://mm.icann.org/mailman/listinfo/root-ksk-ceremony>
> _______________________________________________
> Ssr2-review mailing list
> Ssr2-review at icann.org <mailto:Ssr2-review at icann.org>
> https://mm.icann.org/mailman/listinfo/ssr2-review <https://mm.icann.org/mailman/listinfo/ssr2-review>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mm.icann.org/pipermail/ssr2-review/attachments/20170419/598cbd90/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 496 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://mm.icann.org/pipermail/ssr2-review/attachments/20170419/598cbd90/signature.asc>

More information about the Ssr2-review mailing list