DNSSEC requires cycling existing TCR for AES-256 symmetric encryptions or leveraging localised key share cycles.
HN is a quote well-known community. It is very common that people read the discussion on HN when their project or themselves are featured. And if they are that interested in what others think, they would then likely see comments such as mine. And if they are not the type to want to read comments, they won’t see my comment and therefore not be bothered by it.
I am baffled when trying to imagine why you think this is “mean-spirited”. On the contrary, this is the most respectful way to offer a minor suggestion that I can think of.
https://technotes.seastrom.com/assets/2025-11-23-passing-the...
Hypothetically, is there a way to know that those present were not under duress? I am guessing that duress is the only viable attack against the ceremony protocol — everyone present appears to play their part but, offscreen and visible only to the participants, are the villains and some hostages.
shruubi•2mo ago
ggm•2mo ago
It's very hard to get traction on this story because there is a lot of "don't prod the bear" regarding things ICANN can and should ask Department of State about, and things which really have moved into "self managed, independent international body" space. The reason there are two HSM east and west coast was because of this kind of national-strategic sensitivity. It would be a low bar (only money) decision to duplicate the investment in Singapore and Geneva, two locations which ICANN has existing investment in, with good secure facilities and accepted by the wider public as "neutral" points.
When the KSK ceremonies started up, several people also pointed out that this "diverse locations" thing was a bit hokey. The response above is my re-write of the kinds of things said to me, at the time. If somebody wants to deny State or any other US federal agency influenced the decision I have no formal proof.
I should add as a declaration of interest I was at Rob's goodbye KSK event, I am a TCR, and I made such a submission this year. I have not received any indication it was understood or read, despite asking for some acknowledgement, but the process wheels in an agency like ICANN run to their own time.
tptacek•2mo ago
ggm•2mo ago
The least likely outcome of asking the department of state if ICANN is "permitted" to add an HSM outside the USA, is a positive answer.
The most likely path to doing it, is not to assume you have to ask.
tptacek•2mo ago
ggm•2mo ago
jacquesm•2mo ago
ggm•2mo ago
But at a contractual level you could ask is there another company which could tender to operate the root publication function, and meet all stakeholder requirements? And, could that company be legally constituted outside the USA?
jacquesm•2mo ago
Given that they contributed one of the key components that made the internet into the success that it is as well as being internationally respected.
ggm•2mo ago
I worked in another RIR. I still contract there.
dc396•2mo ago
One of the issues is section 4.2 of the IANA Naming Functions contract:
"[...] Contractor must be able to demonstrate that all primary operations and systems will remain within the United States (including the District of Columbia). [...]"
The Key Management Facilities are considered a part of the "primary operations and systems". IIRC, this clause was included in order to move the transition of the IANA functions forward in the face of some resistance within the US government.
Until that bit of legalese is revised, there will be no movement on creating a non-US key management facility. I believe changing the IANA Functions contract requires the Customer Standing Committee. As far as I am aware, no one within the CSC thought it worth the effort, i.e., "if it ain't broke, don't fix it".
Perhaps under the current US administration, that feeling as changed, but I haven't heard of any significant efforts in that regard.
charcircuit•2mo ago
shmel•2mo ago
blibble•2mo ago
I suspect the only reason this hasn't been used as part of "deal leverage" is because the US regime doesn't know of its existence
monkey_monkey•2mo ago