Criteria for Trusted Community Representatives
We seek to maintain confidence and acceptance of the DNSSEC security mechanisms used among the wider Internet community. As a key component of its trust model, we ask that representatives of the DNS technical community be involved in key aspects of managing the Root Zone Key Signing Key (KSK). These rules are known as trusted community representatives (TCRs). This document explains the requirements of the role, the process of selection of the TCRs, and the support arrangements available for the TCRs.
Roles and Responsibilities of the TCRs
There are two types of active TCRs:
Cryptographic Officers (COs) attend key signing ceremonies (typically around 1-2 times per year), help activate the hardware security module that stores the KSK, observe the proceeding of these ceremonies, and attest they were conducted appropriately to build trust in the greater Internet community. The Cryptographic Officer is also responsible for a safety deposit box key, which is used to retrieve HSM smart cards from our facilities.
Recovery Key Share Holders (RKSHs) maintain smart cards that decrypt a backup of the KSK in the event of a catastrophe. The backups are designed such that RKSHs are required to use them. RSKHs do not regularly attend ceremonies, but must be able to travel on short notice in the event of an emergency.
In addition to COs and RKSHs, we maintain a pool of interested individuals as backups in the event that any active TCRs resign or retire. Backup TCRs must meet all of the same requirements as active TCRs and be able to immediately fill CO and RKSH vacancies.
A TCR’s primary responsibility is being available to attend key ceremonies in accordance with their role. For COs, this means attending 1-2 scheduled ceremonies per year. All roles involve being on standby and having appropriate travel documentation up-to-date to be able to attend ceremonies on short notice.
For COs, inability to attend at least one ceremony per year is grounds for dismissal as a TCR at our discretion. Last minute cancellations must be avoided. We prefer that a TCR not attend than to commit and later cancel. Other responsibilities for TCRs include maintaining secure custody of their materials and performing their role in ceremonies.
TCRs represent the broader Internet community and should use relevant opportunities to increase confidence in the management of the Root Zone KSK. This includes reporting back to their communities the controls that underpin DNSSEC to promote trust and understanding of the KSK.
TCRs must provide timely responses to our staff regarding their availability for ceremonies, renewal of background checks, and confirmation of materials.
For a better understanding of the roles and expectations, see TCR Roles.
Selection Criteria for TCRs
While strong technical knowledge of the Internet is not the primary factor in TCR selection, TCRs should be committed to the security of the DNS; and be knowledgeable, or committed to becoming knowledgeable, about our operating environment and technical responsibilities.
Wide participation in this process is encouraged, as diverse participation gives greater confidence in the management of the Root Zone KSK.
- Persons of integrity, objectivity, and intelligence, with reputations for sound judgment and open minds;
- Persons with an understanding of the Domain Name System and the potential impact of DNSSEC operations on the global Internet community;
- Persons who can represent the broadest cultural and geographic diversity consistent with the other criteria set forth;
- Persons who are familiar with: the operation of TLD registries and registrars; IP address registries; Internet technical standards and protocols; policy development procedures, legal traditions and the public interest; and the broad range of business, individual, academic and non-commercial users of the Internet;
- Persons who are willing to serve as volunteers (without compensation);
- Persons who are able to communicate in written and spoken English. (English does not have to be the candidate’s first language);
- Persons must not be from an organization affiliated with the root zone management process (PTI, ICANN or Verisign).
How to apply
Those who are interested in becoming a trusted community representative are invited to submit a statement of interest. This expression of interest should explain how you fit the criteria for selection.
We will keep your SOI on file, and whenever there is a vacancy in our TCR roles, we will review the available SOIs against our selection criteria. Should you be selected for an open position as a TCR, we will contact you. Initially we will place you on provisional status while we perform the required screening to be adopted into the TCR pool.
If you are not immediately selected, we may contact you from time-to-time to ensure your SOI is up-to-date and if you still wish to be considered for the role at a later date.
Upon a vacancy, the SOIs we have on file shall be reviewed to select candidates that ensure that the TCRs are composed of members who — in the aggregate — display diversity in geography, culture, skills, experience and perspective, by applying the Selection Criteria set forth above in this document.
We will not disclose the identities, recommendations or discussions of/about potential candidates, unless both parties have given explicit authorization to disclose the information.
We may engage with third party vendors who will contact the candidate for Personally Identifiable Information (PII) for background checks. This process will be performed with the assistance of ICANN's Human Resources department.
Candidates who have passed the background check and are selected will be asked to complete a TCR Agreement and TCR Declaration. The name and country of residence of the selected TCRs will be published at the close of the process. No other PII will be publicized.
Retirement and Rotation of the TCRs
Cryptographic Officers (COs)
Even though there is no precise term limit, COs typically serve for a number of years. TCRs should resign when they are no longer able to maintain their responsibilities, but must uphold their responsibilities until we have identified their replacement and we are able to induct them at a ceremony. In addition to voluntary resignation, TCRs who have been active for more than five years are eligible for mandatory retirement.
To minimize disruption and maximize knowledge transfer amongst TCRs, we will only replace a maximum of one CO per regularly scheduled ceremony who has reached retirement eligibility. Should one or more COs resign voluntarily or be otherwise no longer eligible, their replacement will be conducted in lieu of any replacements due to retirement for that period. The exact retirement schedule is at our discretion based on factors such as ceremony planning and availability of replacements.
If more than one CO is eligible for replacement due to length of tenure, the priority for replacement is:
- COs who have served longest will be replaced first; then
- COs who have attended the least number of ceremonies; then
- COs who have not attended a ceremony in the most amount of time; then
- Should multiple COs be equal on all of these factors, we will select a CO whose replacement would best fulfill the diversity requirements of the selection criteria.
A CO who retires due to length of tenure, but still wishes to be involved, can apply to be entered into the Backup TCR pool in order to be considered for a future role.
Recovery Key Share Holders (RKSHs)
There are currently no defined term limits for RKSHs. RKSHs must continue to meet their eligibility criteria.
Backup TCRs may stay in the pool indefinitely so long as they continue to meet their eligibility criteria.
We have an optional travel support program that provides TCRs airfare and accommodation, along with a stipend. TCRs may request travel support after they have confirmed attendance for a specific ceremony. The program is similar to the ICANN Constituency Travel support programs.
More information is in the specific travel support procedure.
We initially called for volunteers for TCR roles in 2010, and selected 35 people. We have successfully performed the first seven years of operations based on that initial round of volunteers. As some TCRs have resigned, we have replaced them with volunteers in the backup TCR pool. In 2014, we reviewed the operations of the TCR program and incorporated that feedback into the current processes.