They were seven – And they fought like seven hundred!
With less than a week to go before the opening of ICANN's DNSSEC root key generation ceremony, there is a roaring debate occurring among the technical community whether or not the list of Trusted Community Representatives (TCRs) should be publicly revealed in advance. The TCRs were selected by ICANN to participate in the generation of the keys that will be used to digitally sign the DNS root zone file keyset, providing a single trust anchor for authenticating a global, secure DNS.
On one side of the corral, ICANN's Joe Abley defends the choice, stating the intention of not revealing the identities of the TCRs in advance is:
to reduce the chance of pressure or influence being brought to bear against the volunteers. After the first ceremony the identities are all public anyway (as part of the full disclosure of audit materials).
To what ends, this pressure or influence that ICANN fears? The thread descends quite quickly into the absurd, revolving around obscure crypto attacks, obtuse Indiana Jones references (involving Nazis, of course, ala Godwin) and tin foil hats. On the other side of the corral, Nominet's Roy Arends, one of the principal architects and ardent supporter of DNSSEC, who states:
If the list is not controversial, I see no reason to keep it under the hat. The reasons for keeping it secret are very minor, let alone valid (if not thought off in hindsight bias), so I guess next week, we'll see who's on the list, and thus why the secrecy. Keep in mind that these are trusted community representatives…I have acted as a reference for some [TCRs], solely because I trust these people blindly and I think they are able to represent the community well. They are on the list. Now I want to see the rest.
The problem that Arends alludes to is that there was no external vetting of the TCRs in the selection process. In an attempt to defuse this, Abley noted that all five RIR service regions were represented in ICANN's TCR solicitation process, and that the requirement for geographic diversity was applied in selection.
However, this dodges the problem. Given that the key generation protocol requires 3 of 7 Crypto Officers to generate a valid key for signing the root, it is quite possible under extraordinary circumstances for 3 individuals who might not have the trust of the global Internet community to generate a key and sign the root zone keyset. This is why diversity in the composition of and trust in all of the TCRs is so important. (we pointed out a similar flaw in VeriSign's root signing proposal last year in our comments to the DoC) So far, a handful of members of the technical community have voluntarily identified themselves as likely East Coast TCR Crypto Officers, including Anne-Marie Eklund Löwinder, Robert Seastrom, Olaf Kolkman and Ólafur Guðmundsson (a designated backup). That leaves four.
It all makes you wonder if ICANN is either brilliant, naive, or something else. Even though widely liberalized in the 1990s, nation-states remain sensitive to crypto's application to communications network infrastructure. ICANN would be wise to avoid that influence. Claiming “regional” TCRs is a useful tactic for avoiding influence of the nation-state. But, depending on the final composition of the magnificent seven, it could be a way for one nation-state to, under extraordinary circumstances, maintain control of infrastructure critical to the global DNS. And that is why it would have been prudent for the Internet community to actually vet the TCRs in advance.