[Ssr2-review] FW: [root-ksk-ceremony] [Ext] SV: Root DNSSEC KSK Ceremony 29 Changes

James Gannon james at cyberinvasion.net
Wed Apr 19 10:52:51 UTC 2017 

Agreed and I think that we run the risk of not meeting our 'SHALL' commitment if we exclude PTI activities from our scope.

-James


From: ALAIN AINA [mailto:aalain at trstech.net]
Sent: Wednesday, April 19, 2017 11:51 AM
To: James Gannon <james at cyberinvasion.net>
Cc: SSR2 <ssr2-review at icann.org>
Subject: Re: [Ssr2-review] FW: [root-ksk-ceremony] [Ext] SV: Root DNSSEC KSK Ceremony 29 Changes

James,

On Apr 18, 2017, at 11:02 PM, James Gannon <james at cyberinvasion.net<mailto:james at cyberinvasion.net>> wrote:

Hi All,

I'm forwarding this as an example of critical piece of information about the SSR of the unique identifiers system that would be (In my opinion) under our remit but if we exclude PTI from scope then we have no visibility into such key matters.

It struck me a little while ago that we still have not agreed on whether PTI/IANA is in or out of scope for our review, this is a topic that we must come back to. If we look at it from a legal point of view as a wholly owned subsidiary ICANN is responsible for much of PTI as its sole member and due to the interrelationship between the ICANN and PTI budgets there is a clear legal, operational and functional link to ICANN and to discount that would be a huge risk for us in my opinion.

The  agreements https://pti.icann.org/agreements give more insights on ICANN commitments towards PTI.
As said earlier, i do think this is in scope and is one of the new stuff this review must do compared to SSR1.

As for the root KSK, we will have to deal with it anyway when assessing the security, stability, resiliency of the DNS as required by the the 1st "SHALL do" of the SSR according to the bylaws.


Thanks

-Alain




-James


-----Original Message-----
From: root-ksk-ceremony-bounces at icann.org<mailto:root-ksk-ceremony-bounces at icann.org> [mailto:root-ksk-ceremony-bounces at icann.org] On Behalf Of Andres Pavez
Sent: Tuesday, April 18, 2017 7:50 PM
To: Anne-Marie Eklund-Löwinder <anne-marie.eklund-lowinder at iis.se<mailto:anne-marie.eklund-lowinder at iis.se>>; root-ksk-ceremony at icann.org<mailto:root-ksk-ceremony at icann.org>
Subject: Re: [root-ksk-ceremony] [Ext] SV: Root DNSSEC KSK Ceremony 29 Changes


On 4/18/17, 04:38, "Anne-Marie Eklund-Löwinder"
<anne-marie.eklund-lowinder at iis.se<mailto:anne-marie.eklund-lowinder at iis.se>> wrote:


Dear Andres,

Dear Anne-Marie,



Even though I will not attend to the ceremony in Culpeper next week I
am still engaged in the proceedings of the ceremonies and the work
surrounding them, before and after.

Absolutely, we will miss you in Culpeper.



I am interested to learn how you (IANA) perform change management in
general, and if the audit reports are publicly available. If so, where
can I find the documentation of the change process and the reports
resulting from an audit (not only the Systrust)?

We have change management process and controls, but are part of the SOC 2 and the report is not public available.



I very much would like to read the audit report from the review of the
ksrsigner and other changes made by Snake Hill Labs Inc., and the
requirements from which the audit was performed.

Sure, the report is available at
https://data.iana.org/ksk-ceremony/29/PTI-SHL-Independent_Code_Review-Final
.pdf

The revision was performed following the DPS section 5.8. Life Cycle Technical Controls https://www.iana.org/dnssec/icann-dps.txt



Is it possible to be more specific on what policies, procedures and
audit requirements have been used for the audit (I would appreciate
direct pointers to current documents)?

Furthermore it would be interesting to see the protocol from the tests
of the new code.

We have an internal information security policy that cover change controls (similar that is in the DPS), a software maintenance procedure (including the github repository) and the audit controls. These documents have been review by PWC as part of the audit. Unfortunately these documents are not public so I cannot pointer to this documents.



Thank you in advance!

No problem, thanks to you. Let me know if you have another question or concerns.



Kind regards,

Best regards,



Anne-Marie Eklund Löwinder
Chief Information Security Officer
IIS (The Internet Infrastructure Foundation)
Phone: +46 734 315 310
https://urldefense.proofpoint.com/v2/url?u=https-3A__www.iis.se&d=DwIFA
w&c
=FmY1u3PJp6wrcrwll3mSVzgfkbPSS6sJms7xcl4I5cM&r=foU9Usw18Mt-lQEEtQUqT9Fe
tK6
03awyEWUhExAm2uE&m=AQo2GMLt9bR1a0bJR8b2uAg6LS_fe9LXXWVY2tzcHpM&s=ytY4He
kYH
cp3x0LK0idm3XO9K7OFa8Z5mHhdQO9zA_s&e=

We are moving! From 2017-03-27 you'll find us at:
Visitors: Hammarby Kaj 10D
Mail: Box 92073, 120 07 Stockholm

--
Andres Pavez
Cryptographic Key Manager






-----Ursprungligt meddelande-----
Från: root-ksk-ceremony-bounces at icann.org<mailto:root-ksk-ceremony-bounces at icann.org>
[mailto:root-ksk-ceremony-bounces at icann.org] För Andres Pavez
Skickat: den 18 april 2017 01:54
Till: root-ksk-ceremony at icann.org<mailto:root-ksk-ceremony at icann.org>
Ämne: [root-ksk-ceremony] Root DNSSEC KSK Ceremony 29 Changes

Dear TCRs and Ceremony Participants,

To accomplish the KSK rollover, we have created a new OS DVD release
KC-20170403 which contains the same OS that the previous release
(KC-20161014) with the changes we have made in the software component
(ksrsigner) that we use to sign the KSR along with other changes. This
changes have been tested with Verisign and also reviewed by Snake Hill
Labs Inc. to comply with our policies, procedures and audit requirements.

This new OS DVD will be introduced in the upcoming ceremony 29 on April
27 in Culpeper and also we have made changes in the script based on the
comments and suggestions we received.

Attached you will find a version of the script that has the changes
marked in yellow for your convenience.

Below is a summary of the changes:

- Cosmetic corrections: fixing typos, formatting, etc.
- Removed the figure 1 sample of the ksrsigner output. Since the
ksrsigner output is printed during the ceremony and also is attached in
the annotated script.
- Removed the figure 2 with sample image of the Tamper Evident Bag.
- Include PGP word list for the verification of the new OS DVD hash and
also for HSMFDs.
- Added a new bash script into the OS DVD to calculate, print and compare
hashes for HSMFDs. This bash script is available in the icann key tools
source code.
- Changed printlog bash script to better fit the ksrsigner output in one
page.

The Pre-Ceremony materials are available at
https://urldefense.proofpoint.com/v2/url?u=https-3A__data.iana.org_ksk-2Dc
eremony_29&d=DwIFAw&c=FmY1u3PJp6wrcrwll3mSVzgfkbPSS6sJms7xcl4I5cM&r=foU9Us
w18Mt-lQEEtQUqT9FetK603awyEWUhExAm2uE&m=AQo2GMLt9bR1a0bJR8b2uAg6LS_fe9LXXW
VY2tzcHpM&s=hp2ci71OzCcEt39DlsS8XYpP9REQu6JVW7E6-TVKgzQ&e=

Please let me know if you have any questions.

Best regards,
--
Andres Pavez
Cryptographic Key Manager
<smime.p7s>_______________________________________________
root-ksk-ceremony mailing list
root-ksk-ceremony at icann.org<mailto:root-ksk-ceremony at icann.org>
https://mm.icann.org/mailman/listinfo/root-ksk-ceremony
_______________________________________________
Ssr2-review mailing list
Ssr2-review at icann.org<mailto:Ssr2-review at icann.org>
https://mm.icann.org/mailman/listinfo/ssr2-review

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mm.icann.org/pipermail/ssr2-review/attachments/20170419/8ac74bfb/attachment.html>

More information about the Ssr2-review mailing list