On Wed, Jun 8, 2011 at 10:59 AM, Michael Newbery
Which leads me to ask, is if possible for no one person to know the key, but rather to have just a portion of a key?
That's exactly the process used for the Root signing process. There are seven crypto officers for each of the two signing locations. When the original signing processes occurred we all had to be present and we initialised portions of a key on smart cards. Each of us stores these in a tamper proof bag in an individual safe deposit box in the facility. When I travel to the ceremonies I take a physical key to that box and we have a very clear process to check the smart cards in and out. Three of the seven crypto officers must be present for the renewal to take place. We do this every three months at the East and West coast facilities There are backup procedures to cope with various contingencies - not enough crypto officers, lost keys and so on. The whole process is set out as a series of steps which we follow rigourously - you can see the audit trail for the ceremonies at http://data.iana.org/ksk-ceremony In particular, the initial ceremony I attended is documented at http://data.iana.org/ksk-ceremony/2/ceremony2-script-annotated.pdf Do we need a process that's as detailed and elaborate? Perhaps not but we do need a process we can trust. I'm going to make a commitment to the NZ Internet community that as a member of the DNCL Board I won't agree to a process that doesn't have the support of the community for the DNSSEC signing of .nz - exactly what that looks like needs to be discussed, negotiated and agreed. I'll echo the requests made by others on this list for a clear description of the processes. andy