[dnssec-key-tf] agreements on the use of the repository

On Thu, 13 Sep 2007, Peter Koch wrote:

> The one additional task we have to adress then is the part where the TAR
> has to establish contact with those TLD registries willing to submit their
> key(s).  Hopefully not too much  waste of time.

That's the interesting bit.  Happily "making sure we get the right key 
in the first place" is likely to be pretty easy: the TLDs are 
publishing keys on their webpages signed with some other cyptosystem 
(GPG), much like the NCC is doing for its reverse zone keys, and we 
have heuristics (recognizing each others' voices on the phone) to 
authenticate many of them.  The trick comes in updating the keys (and 
making sure that we don't list any that we can't update).

Here's a strawman proposal:

Require, as a condition of being listed in the TAR, that each TLD (or 
in-addr.arpa entry):

a) agree to notify the TAR operator (the NCC) of key changes via a 
signed message pushed from the TLD

b) agree to periodically send signed, timestamped messages to the 
operator confirming the current key, and

c) establish multiple out-of-band communication channels and 
authentication credentials in case a and/or b fail.

[As an option, if the TLD is willing to commit to updating a signed 
webpage or equivalent, the TAR operator could poll periodically.  In 
that case, we'd need to establish the polling interval, and the TLD 
would need to resign the webpage periodically (with a timestamp) to 
avoid infinite replay attacks.]