Reply to post:

Internet root keymasters must think they're cursed: First, a dodgy safe. Now, coronavirus upends IANA ceremony

Lee D

So they're not going to know if the keys are in the parcels and work and that they have them until the day of the ceremony?

Anyone else spot a problem here?

And surely, if this stuff was ANYWHERE NEAR secure, those parties could all have an HSM of their own with which they could verifiably sign a key with another that only they could possibly be in possession of (the HSM and it's associated authentication) and then those keys - if they are in any way secure - can just be transmitted over the Internet (I would add the caveat of "avoiding DNS use" but that much should be obvious).

Safe and locks and stupid procedures opening envelopes in front of webcams is just ludicrous, I'm afraid. Unless someone can compromise 12 - or however many - independent people worldwide simultaneously, grab their HSM, torture them all for their signing info and private keys and passcodes, and sign off something fake without ANYONE noticing... even if they have to do that part of it one-by-one on a web video link...

They've had one near miss. They've set themselves up for another here. It's not going to be long before they totally screw it up because of some other instance they hadn't considered and it'll be game over for DNSSEC.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2021