Web expert on his 'catastrophe' key for the internet
Marshall Eubanks
tme at americafree.tv
Fri Jul 30 05:59:13 UTC 2010
On Jul 30, 2010, at 12:55 AM, James Hess wrote:
> On Thu, Jul 29, 2010 at 10:23 PM, Franck Martin <franck at genius.com>
> wrote:
>> Hmmm, from the interview of the British guy, the smart card seems
>> to be in UK (he did a lapsus on it), which differs from what you
>> describe.
>
> You gotta read up on the whole ceremony and their statement of
> practices: https://www.iana.org/dnssec/icann-dps.txt ...
Hmm. Looks like an RFC, but isn't. Do you know if there are any plans
to actually publish this ?
Regards
Marshall
> Crypto
> Officers are different from Recovery Key Share Holders.
> Crypto officers hold a key to a safe deposit box in the safe room
> Safe 2, containing the operator cards.
> "Tier 5"
>
> Each vault contains a Tamper-evident bag (TEB) with a smart card
> required to authenticate with the HSM to perform crypto operations.
> Those cards don't leave the facility.
> The operatorscards are only authentication tokens, the key is stored
> on the hardware security modules.
>
> Hardware security modules, and the laptop+DVD+USB Flash stick required
> to operate them are stored in
> tamper evident bags in Safe 1.
>
> There are 7 crypto officers per site, but only 3 are required to
> authenticate to the HSM to enable it to perform operations.
>
> The recovery key share holders have a key to a bank safety deposit
> box under _their own_ control,
> containing a smartcard in tamper-evident bag, holding part of
> the HSM's internal encryption key.
>
> Each RKSH has to provide and maintain records of where they are
> storing their smartcard.
> 7 RKSH per site, but only 5 are required for recovery operations.
>
>
> --
> -J
>
>
More information about the NANOG
mailing list