[NCSG-PC] Review NCSG Comment on KSK Rollover Draft

Poncelet Ileleji pileleji at ymca.gm
Mon Mar 26 20:14:15 EEST 2018


Juan,

Its public holiday in my zone even on FRiday to  Monday we celebrate Easter
Monday too, so I will suggest  Tuesday please.

Thanks

On 26 March 2018 at 17:11, Juan Manuel Rojas via NCSG-PC <
ncsg-pc at lists.ncsg.is> wrote:

> Hi everyone!
> I think it is a good point what Ayden says. This Friday is holiday in many
> of our countries so I also think that could be happenning on Monday. I am
> not a Security expert, but I liked that subject a little bit.
>
> First, I am wondering Do we know how many people or non commercial
> organizations will be affected with this Rollover? I think there's no
> clarity because the use of this itself.  However I think we should add some
> about the test on the systems because I think that no many people
> understand that they need to do this before to confirme what action is
> needed.  ICANN have provided a free testbed to help any people determine if
> their systems can handle automated updates properly. What is also mentioned
> on RFC 5011 Automated Updates of DNS Security (DNSSEC) Trust Anchors. Did
> you know about this test? Any of you have tested? (I am testing it). I am
> waiting testing mail, this works as a emailing list to ckeck your own Keys.
>
> Those are some of my thoughts,
>
> Kind Regards,
>
> JUAN MANUEL ROJAS P.
> Presidente - AGEIA DENSI Colombia
> Communications Committee Chair. Non-for-Profit Operational Concerns
> Constituency (NPOC) - ICANN
> Cluster Orinoco TIC member
> Master IT candidate, Universidad de los Andes
>
> Cel. +57 3017435600 <+57%20301%207435600>
> Twitter: @JmanuRojas <http://www.twitter.com/jmanurojas>
>
>
>
>
>
>
>
>
> El lunes, 26 de marzo de 2018 9:49:59 a. m. GMT-5, Ayden Férdeline <
> icann at ferdeline.com> escribió:
>
>
> Another thought:
>
> The proposed roll over date is a Thursday in the evening (US), which is
> Friday in many parts of the world. If something went wrong, Friday may be
> an inopportune time for this to happen. Might it be better for the
> rollover, whenever it does occur, to happen on a Monday?
>
> Ayden
>
>
> ‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
> On 26 March 2018 2:46 PM, Renata Aquino Ribeiro <raquino at gmail.com> wrote:
>
> [observer]
>
> Hi
>
> I agree governmental actors should not really be the ones with this
> discussion in mind.
>
> This is a hot topic in RIRs
> LACNIC tour to ICANN in Vice News being case in point
> https://lists.ncuc.org/pipermail/ncuc-discuss/2018-March/043809.html
>
> Outreach to endpoints of industry chain is the best way to deal with the
> theme and is well covered by the comment.
>
> Best,
>
> Renata
>
>
>
>
>
> On Sun, Mar 25, 2018 at 9:03 PM, Rafik Dammak <rafik.dammak at gmail.com>
> wrote:
>
> Hi Ayden,
>
> Thank for those questions and review, looking for other PC members to do
> so.
> maybe something we can check with the draft team as they reviewed the
> material?
> I am not security expert but my understanding that risks depend on the
> threat model for this case.
> for outreach, ICANN did, in fact, contact government regulators and
> relevant authorities to share info with their local operators for the first
> iteration to inform them about KSK rollover. tbh I won't count on GAC to do
> such thing. Of course, more can be done but it is always challenging.
> I guess a monthly report may or not be used by users but at least can be a
> good transparency tool, identifying operators and can be used by the
> technical community itself not edn-users.
>
> Best,
>
> Rafik
>
> 2018-03-25 6:10 GMT+09:00 Ayden Férdeline <icann at ferdeline.com>:
>
> Hi all,
>
> Thanks to those who drafted this.
>
> From what I understand, delaying the now overdue KSK rollover yet again
> would increase the risk of key compromise. Security best practices suggest
> that ICANN should rollover the key on a regular basis. Are there any
> dangers to us supporting another postponement?
>
> I think our recommendation that the publication of a "monthly trust anchor
> report will give those Internet users who identify their local operators as
> “not ready” an opportunity to reach out to them directly prior to the root
> KSK rollover date" is far-fetched. I doubt any end-users will read it and
> take action. I believe the onus should be on ICANN (and possibly the GAC)
> to reach out to local operators who are not ready...
>
> Best wishes,
>
> Ayden
>
>
> ‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
> On 21 March 2018 6:28 PM, Rafik Dammak <rafik.dammak at gmail.com> wrote:
>
> Hi all,
>
> A draft we have to review for endorsment  asap,  the deadline for
> submission is the 2nd April.
>
> Best,
>
> Rafik
>
> ---------- Forwarded message ---------
> From: Louise Marie Hurel <louise.marie.hsd at gmail.com>
> Date: Thu, Mar 22, 2018, 3:23 AM
> Subject: [Public Comments] NCSG Comment on KSK Rollover Draft
> To: <NCSG-DISCUSS at listserv.syr.edu >
> Cc: Tomslin Samme-Nlar <mesumbeslin at gmail.com>, Dina Solveig Jalkanen <
> icann at thomascovenant.org>, Rafik Dammak <rafik.dammak at gmail.com>
>
>
> Hi all,
>
> Comments on the Plan to Restart the Root Key Signing Key (KSK) Rollover
> Process opened early February this year
> <https://www.icann.org/public-comments/ksk-rollover-restart-2018-02-01-en>.
> For those who have not been following the process that closely, KSK serves
> as a trust anchor for DNSSEC and was last (and for the first time) signed
> in 2010. ICANN had scheduled to implement a new key in October. However,
> they decided to postpone the signing of new cryptographic keys for the DNS
> after finding that the resolvers used by ISPs and network operators were
> still not ready and there's a need for more data in prepping for it.
>
> While the comment is narrow and highly technical in its scope, the overall
> idea of the process can be read as taking the next step in consolidating a
> way of periodically changing keys -- thus enhancing security and resilience
> in the DNS.
>
> Tomslin, Dina and I have worked on this draft
> <https://docs.google.com/document/d/1VNxn4UJlk8z196Kz56ucAdgyWp0ua9NmdHexRE1Wkhc/edit>
> and would be happy to get more comments edits, suggestions on this. Feel
> free to jump in.
>
> For more info, see here
> <https://www.icann.org/news/announcement-2017-09-27-en> and here
> <https://www.icann.org/en/system/files/files/plan-continuing-root-ksk-rollover-01feb18-en.pdf>
> .
>
> All the best,
>
> Louise Marie Hurel
>
> Cybersecurity Project Coordinator | Igarapé Institute
>
> London School of Economics (LSE) Media and Communications (Data and
> Society)
> Skype: louise.dias
> +44 (0) 7468 906327
> *l.h.dias at lse.ac.uk <l.h.dias at lse.ac.uk> *
> louise.marie.hsd at gmail.com
>
>
>
>
> ______________________________ _________________
> NCSG-PC mailing list
> NCSG-PC at lists.ncsg.is
> https://lists.ncsg.is/mailman/ listinfo/ncsg-pc
> <https://lists.ncsg.is/mailman/listinfo/ncsg-pc>
>
>
> _______________________________________________
> NCSG-PC mailing list
> NCSG-PC at lists.ncsg.is
> https://lists.ncsg.is/mailman/listinfo/ncsg-pc
>
> _______________________________________________
> NCSG-PC mailing list
> NCSG-PC at lists.ncsg.is
> https://lists.ncsg.is/mailman/listinfo/ncsg-pc
>
>


-- 
Poncelet O. Ileleji MBCS
Coordinator
The Gambia YMCAs Computer Training Centre & Digital Studio
MDI Road Kanifing South
P. O. Box 421 Banjul
The Gambia, West Africa
Tel: (220) 4370240
Fax:(220) 4390793
Cell:(220) 9912508
Skype: pons_utd







*www.ymca.gm <http://www.ymca.gm>http://signaraglobalsolutions.com/
<http://signaraglobalsolutions.com/>http://jokkolabs.net/en/
<http://jokkolabs.net/en/>www.waigf.org
<http://www.waigf.org>www,insistglobal.com <http://www.itag.gm>www.npoc.org
<http://www.npoc.org>http://www.wsa-mobile.org/node/753
<http://www.wsa-mobile.org/node/753>*www.diplointernetgovernance.org
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ncsg.is/pipermail/ncsg-pc/attachments/20180326/93c6d61e/attachment.htm>


More information about the NCSG-PC mailing list