Awaiting the signing of the root zone there has been an extensive discussion regarding who should control the cryptographic key signing key (KSK) forming the basis for validating the root zone, and consequently also all lower-level domains of the Domain Name System (DNS). At stake is the trust in the root zone and the confidence for the corporation administering and implementing it, i.e. ICANN. The threat they’re trying to avert is a partitioning of the Internet into several alternative root zones. To strengthen ICANN’s legitimacy and the trust in the root zone some people are advocating that the control of the key signing keys should be divided between several interest groups through so called M-of-N control.
The security technique of M-of-N aims to obstruct or prevent individual officials from disregarding stipulated security practices. The technical means of control in using M-of-N are based on the regulation of access to a physically protected signing unit (a security module, HSM), including key storage and manipulation protection, which requires M-of-N officials to be present during key operations. This access control does not normally mean that the key material itself is divided between the officials, it only relates to the security module access.
Even if it is cryptographically possible to share a data set through M-of-N, it is highly impractical, and furthermore makes it possible for a group of collaborating officials to compromise the key material. Division of the key material weakens the confidentiality protection of the private keys, and therefore counteracts the objective to strengthen the trust in them.
Access regulation through M-of-N control is also no appropriate way of delegating (part of) the operational responsibility to other organizations. The operating environment will become too vulnerable, and may suffer serious consequences if the required individuals can’t or won’t turn up, (for whatever political or practical reasons), on short notice to perform the cryptographic operations needed.
In all respects the objective should be a reduction of complexity in root zone administration and management. Organizational, political and technical stability should be the primary objective, and then the trust in it will follow suit.
A common misunderstanding is that the trust in the root key is superior to the confidence in ICANN. In reality, it is the other way around. The trusting parties can choose for themselves who they have confidence in, by pointing their name servers at the ICANN root and configure the trust anchor published by ICANN. The question of who is controlling and performing the signing operations is unimportant as long as the content of the zone is being controlled. The implementation of M-of-N across several organizations will instead increase the risk of introducing uncertainties that in the long run can counteract the objective of preventing a division of the Internet namespace. The trust in the root is also not dependent upon being able to transfer the key material to another organization, since the new organization will still have to use new keys and prove itself reliable in the same way. Having earned people’s trust does not equal to controlling the key material.
We consider there to be no reason for complicating the management of the root zone through involving several different parties in necessary key operations. M-of-N control should only be used within the managing body as a way of strengthening the confidence in the integrity of the root zone.
At the end of the day, trust is a soft value that does not depend solely on this technical means of control.