The Brit charged with holding one of seven digital keys necessary to re-establish a system of trust in the highly unlikely event of a collapse of the DNSSec (DNS Security Extensions) system has spoken of the practicalities of his responsibility. Paul Kane, chief exec of CommunityDNS and chair of the DNS Infrastructure Resilience …
>Instead of Mordor, the key-holders would need to travel to a secure US data centre
What would be the difference then? Fewer dwarfs perhaps?
What would be the difference then?
1) Mordor border control are much nicer, better with people and more knowledgeable.
2) Plus once you are in Mordor the beer is better.
Data devices into the US
You can just see it, cant you.
Paul Kane rolls up to US Border Control in a hurry to take the key to the "Secure IT data Centre in the US. USBC take one look at the smart card, and conclude that it might contain terrorist data or pornography.
USBC: Excuse me Mr Kane, could you give me access to the information on this memory card
PK: I'm sorry, the contents are encrypted, and are actually a security key for DNS on the Internet
USBC: A key for the Internet, you're kidding me. Show it.
PK: I'm sorry again, but I cannot do that, because if I release it to you, it may compromise the security of DNSSEC
USBC: Are you refusing to co-operate, and hand over the keys to unlock the data? I'm afraid we're going to have to take it and give it to our experts in the FBI to confirm there is nothing illicit on this card. We'll get it back to you when we are finished. Oh, by the way, we might damage the data while we are doing it.
A good job the Internet will continue without them!
"USBC: Are you refusing to co-operate, and hand over the keys to unlock the data? I'm afraid we're going to tase you silly now"
This guy probably also has Obama's signature on a piece of document and another from the NSA/CIA/FBI somewhere that also allows him to forego security checks in cases of emergency.
Trolls. I could never tell the difference between them and elves.
So let me see if I understand this...
if something happens to DNSSec, which is something for doing something, some people will have to go somewhere and do something? Having done that, the original something that happened won't just happen again? Or not? Glad we've cleared that up.
"in the unlikely event of an attack so serious that the system of trust established by DNSSec has to re-established from scratch""
What would such an attack involve?
Expect the unexpected
> What would such an attack involve?
No one knows. Though it's a fair guess that whatever it is, it won't be any of the things that were foreseen. Specifically, if the internet's system of trust has broken down irreconcilably, how will this guy - or any of the others, buy a plane ticket to get them to wherever it is they need to be?
What would such an attack involve?
Compromise of the secret root-zone signing key associated with the widely known public part of this keypair, followed by the publication and circulation of a self-signed revocation certificate for the root zone key.
In practice as most DNSSEC clients will rarely need a top level domain (TLD) key that isn't more locally cached, if the root zone trust can be reestablished with this procedure within a week or so, most clients would rightly continue to trust the cached TLD keys so most Internet users and services wouldn't notice. Nothing to prevent clients establishing trust anchors elsewhere in the hierarchy, e.g. at frequently used TLDs or other frequently used domains.
>how will this guy - or any of the others, buy a plane ticket
Because before the internet, nobody was capable of booking flights anywhere!
fresh start, lean infrastructure
Rent a seat on boarding the plane. The IT was only there for past and the future tracking, and provided data to different security interests who thought they needed to know.
If we could get ther airlines sorted just by crashing the internet, go for it .
I assume that Paul Kane (chief exec of CommunityDNS) was given the key his IT support department ... staffed by two people called Roy and Moss
It is kept at the top of Big Ben because that is where it gets the best reception.
I presume you mean...
..the clock tower, rather than the bell which has that name.
That was a quote from The IT Crowd and as such was correct. Take up your badly-tagged pedantry with Graham Linehan although I'm sure he will have a much better comeback than you.
Well who'd a thunk it. A quote from the IT Crowd that wasn't funny. Just like all the other quotes from the IT Crowd.
Dan Brown is going to love this.
I'll bet Tom Hanks is already cast as the academic who suddenly has to save the world.
Re: Dan Brown is going to...
Dag nab it! I thought I was going to be the first with the movie idea!
Though mine is more along the lines of the cards being counterfeited, and the copies substituted for the originals in 5 of the 7's safes... Then the DNSsec system would be "rebooted" under another base server control and no one would realize... UNTIL ITS TOO LATE!
Step 3: Profit!
The elders of The Internet!
..and why isn't the Hawkmeister himself one of them?
If the interweb is really that stuffed
How will he book his flight?
- Website down.
- Call centre (voip) down
Or does some black helicopter operating agency scoop him up and take him to a waiting lear jet?
I'm genuinely interested to know if there is a plan for his travel as whilst the world worked OK before the internet, and should do so without it, things might be a little disrupted for a while, and if they're very disrupted, the authorities may have more pressing "civil" issues than getting the magnificent 7from wherever they are (holidays, work travel etc) to the US.
Read again please.
Specifically the part that the Internet would not collapse. It would still operate only that surfers would not be able to validate that the website that they were visiting was genuine.
He might get conned into booking a flight on a spoof website... but he would still be able to book actual flights over the net and VOIP would still work.
"fundamental catastrophic failure"
While they CLAIM the internet would continue and everything would work without being able to validate, the very words they use would indicate this is not the case.
"fundamental catastrophic failure" could easily affect more than just DNSSec, so I'd be fairly sure they have contingency plans in place. They might not be on the tarmac, engines running, but somebody will be getting a military escort (although who's military is open for debate).
And let's also face that fact that while the user might not be able to validate the airline website is genuine, the airline might also not be able to validate the card request is genuine, and Visa might not be able to validate the airline is genuine, and the bank might not be able to validate Visa is actually Visa. All of which means Mr Kane has a suitcase of varying currencies so he can buy a ticket at the desk at the airport.
Maybe not Mordor but close...
Considering the hassle of getting into the US at the moment, I'm sure its not that much more difficult then getting into Mordor...
One does not..
...simply tank cat into the United States...
If something that catastrophic occurred...
...I'd imagine that hopping on the next 747 to the colonies might prove somewhat tricky.
Telegraph finger on pulse
Reassuring to see that readers of this esteemed organ...
( http://www.telegraph.co.uk/technology/internet/7914153/Briton-holds-key-to-the-internet.html )
... will be fully briefed on the salient details of this story, as they determine the future of the country/international megacorp/village cricket club, whilst dozing in a club chair, briar pipe in hand...
Not sure if the link to the "IT Crowd" clip is ironic or by way of further explanation...
One does not simply walk into...
A secure US data centre
sashay in instead?
What if you've got a
... magic crystal key eh? What then ... Didn't think of that did you?
Walk? Perhaps not. But given the experiences of Gary McKinnon, getting into a secure US data centre clearly isn't that difficult.
The data center?
Surly there should be at least one on each of the 5 major inhabitable continents as a mater of redundancy.
I'm sure there will be
...once the US is given leave to create a State on each continent. They're as likely to put that level of secure establishment outside the US as we British are to leave the Crown Jewels as a security deposit in the Bank of Zimbabwe.
Even the Reg can't get it right...
I kind of expected the sensationalist reporting on other (less technical) sites, including comments like "reboot the internet" etc, but I did hope the Reg would get it right...
"rebuilding the digital map used to route traffic on the internet" - DNS has nothing to do with how traffic is routed, that's managed by routing protocols, the primary one in use being BGP.
"to guard against the possibility of surfers being deceived by forged web sites or spoofed emails" - DNSSEC does not stop someone seeing a spoofed e-mail and following a link - what it protects against is DNS cache posioning and the like, it will make absolutely zero difference to the multitude of phising e-mails that exist.
C:\Documents and Settings\>telnet mordor
Connecting To mordor...Could not open connection to the host, on port 23: Connect failed
one does not simply telnet into morder!
your problem there is
Mordor uses ssh not telnet :D
by "ssh", I'm presuming you mean "Shelob's Spider Hole" ?
Why would he identify most with the old gay wizard?
There was many other younger more vibrant people in those films and this guy chooses a decrepid old man.
Not really the best choice is it?
Interviewer: And how will you get to the secure US data centre?
Kane: Fly, you fools!
If there are seven keys/rings, he should imagine himself as a dwarf.
Why this anti-aged rant? Are you simply jealous of of the old man's generous and rock solid pension?
..he can spel, and nose what grammer is?
Not a rant, it's called a question
Gandalf had hardly anything to do with delivering the ring, that was the two height challenged people and their smeagle friend (who looked like an extra in the hills have eyes)
Way too melodrammatic
All this jumping onto transatlantic flights is ridiculous. All these people need to do is sent their key in an e-mail to the datacentre. Then, they do a copy/paste job and it's good to go.
Actually, it *is* a bit more melodramatic than that, but without all the urgency...
The reader should be physically connected for security; you (or the card, at least) have to physically be there for it to be "read". The encryption chip being on the card itself.
...and just as secure as Chip & PIN, no doubt.
an alternative explanation
> In the event of a collapse of the DNSSec system five of these holders need to travel to a secure data centre location in the US to restart the process ..
No, no, no, from yesterdays Metro: "A new safety system has been put in place allowing much of the net to be shutdown in an emergency .."
So you see, what's really happening here is the implementation of a system for a central authority to arbitrarily SHUT DOWN the Internet, the ultimate effect being to prevent the free flow of information.
<insert quote from Orwell>
Re : an alternative explanation
<insert quote from Orwell>
Have you seen my glasses. Always lose the bloody things, never remember where I put them.
</insert quote from Orwell>
So if it's 5 of the seven..
.... and there's a Brit and perhaps somebody in Western Europe / Scandinavia, I bet the recent volcano thing and the closure of airspace gave them pause for thought about their approach.
I understand the principles of change management, but for Christ's sake flying seven people to a datacentre with Smartcards they need to physically have with them sounds like overkill. If some of the people are in Asia / Oz and need to fly you've automatically built yourself in a good 12 hour delay before you can switch to BCP just by getting them there, that just sounds a bit daft to me. Why would you design it this way? Somebody has been watching too many Hollywood blockbusters and just thought it would be cool.
Yeah, is this something to do with
President Obama apparently being given the power to close down the Internet when the rest of the world doesn't want him to?
Perhaps having the key holders meet at a location in the U.S. shouldn't be the only plan?
What's with the keycard?
I always thought it was one *ping* to rule them all...
Re: What's with the keycard?
...and in the darkness BIND them.
It helps if you read the tagline of the article first.
I iz stoopid.