Who do you trust to sign the root?

ICANN's Trusted Community Representative (TCR) program, which proposes to distribute signing authority for the DNS root zone among representatives of the Internet community, was launched by ICANN about two weeks ago.

DNSEXT Working Group participant Thierry Moreau observes that

basically, the concept (and details) of TCRs is the ICANN answer to the concern over a strengthening of DNS control, [and over allowing] international participation. The concept of TCR is also original – no other crypto deployment ever required, or seemed to require, a similar level of transparency.

But, despite the good intentions, Moreau has questions:

since ICANN has given no indication of TCR recruitment results (e.g. “Got a sufficient number of candidates that look serious upon a superficial review of submitted data”), we can only speculate about the orderly progress towards DNS root signature in a few weeks.

Unfortunately, nobody seems to care. It seems that all the talk in WSIS/IGF is going absolutely nowhere if the technical control [of DNSSEC implementation] is left wholly in the hands of USG partners. There is thus a considerable gap between governance commentators and actual practice. Note that a similar gap exists between actual practice and the crypto experts criticisms of PKI (these experts would have to complain about some aspects of DNSSEC root key management, but they are silent these days).

Moreau's points are important. Our impression is that root signing will turn out similar to ICANN's other adventures into improving governance. That is, while rightly focused on the important goals of participation and transparency, there will be a lack of real diversity in how the root zone is governed. We'll likely see the usual suspects from the Internet technical community participate (e.g. Sweden's Kirei).

But, honestly, this is not entirely ICANN's fault. Who, other than the USG, really has an interest (particularly an economic one) in a signed root? And even if Internet users worldwide were demanding DNSSEC, many network operators, e.g., in China, Russia, etc., likely won't even use a signed root zone. So why bother participating in the theater?

5 comments

  1. Anonymous

    Why would it be the case that “many network operators, e.g., in China, Russia, etc., likely can't even use a signed root zone.” ??
    If they want to use DNSSEC, they can, there are no laws or treaties obligating or preventing such use.
    The likely reason that “ICANN has given no indication of TCR recruitment results” is becasue they haven't yet finished the recruiting/vetting process.

  2. Anonymous

    TCR applicants have just received this email:
    Dear TCR candidate,
    The provisional TCR application period closed on April 23rd. Thank you for applying. During the selection process, we will evaluate all statements of interest and will follow up with background and reference checks in the coming two weeks. A final selection is expected to be completed no later than May 24.
    The US East-Coast key ceremony is currently scheduled to take place over two days during the week of June 14-18, and the West-Coast ceremony will take place after that. Precise dates will be circulated as soon as they have been determined.
    We do recognise there is a NANOG meeting in San Francisco beginning of the week of June 14-18, and will schedule the ceremony to avoid conflict if at all possible.

    ICANN TCR-Applications Request System

  3. Anonymous

    Sheesh the Theater requires bigger Hip Boots each week.
    I guess when you have 150 people and millions of
    dollars in cash to spend each week you have to
    put on some sort of show.
    Maybe some DHS Hummers and S.W.A.T Team
    vehicles on display in Palo Alto would be cool ?