Analysis: The 21 gatekeepers of the web

Should the internet ever be compromised in the way envisaged in 2008 where a malicious attacker could rearrange the internet's address directory, causing global chaos, there are seven people who would be called upon to fly to two facilities in the US and reboot the web.

One of those seven gatekeepers to the internet's future is British citizen, Paul Kane, who was yesterday splashed across headlines after an interview he gave BBC as a member of DNSSec (Domain Name System Security).

As one of the seven so-called "trusted community representatives" (TCR) appointed by the The Internet Corporation for Assigned Names and Numbers (ICANN) in June, Kane and at least four of the six other TCRs would have to fly to the US to participate in an authentication process that would restore the internet's domain name system (DNS).

But who are the other six? 

The most notable of all TCRs is none other than Dan Kaminsky, the former Cisco engineer and security researcher who, during the 2008 Black Hat conference, revealed a flaw in the internet's naming system which made a swathe of its networking infrastructure vulnerable to "DNS cache poisoning" - the very attack that DNSSec is designed to mitigate.

The US Computer Emergency Response Team (CERT) roughly describes DNS cache poisoning as an attack technique that allows a nameserver's client to be tricked into contacting an incorrect and possibly malicious host. In other words a request to land at a legitimate banking website might end up contacting a server hosted in the Ukraine. Apple, Cisco, Juniper Networks, Microsoft, Nortel, Sun, Ubuntu, Debian GNU/Linux and others were known to be vulnerable to the attack.

The other so-called "internet key holders" include Bevil Wooding from Trinidad and Tobago, Chinese national Jiankang Yao, Moussa Guebre of Burkina Faso, Norm Richie from Canada,, and Ondrej Surý from the Czech Republic.

Richard Lamb, Program Manager at DNSSec described the function that key holders serve and what processes they would need to follow in order to reboot the internet.

The recovery key shareholders have a smart card, which is not the "root key", but "a piece of a key used to encrypt the key ... and they are responsible for those."

"We have set it up so we need a minimum of five of those people to come together to recreate that encryption key," said Lamb.

The reason members were selected from different parts of the world was to ensure that a reboot had the involvement of the "internet community".

But these seven form just one part of DNSSec's three pillar structure. In total there are 21 members that have been appointed to assist the internet's recovery from a catastrophic event.

Vint Cerf, the father of the internet, is one of seven "Crypto officers" who has been appointed as a gatekeeper for the US east coast facility. There are seven more for the US west coast facility. Each of the officers comes from a different part of the world, including the Netherlands, Sweden, Brazil, the US, New Zealand, Russia, Japan and others.

Lamb said the crypto officers would be required in a catastrophic event such as another 9/11.

"The crypto officers on the other hand, we're gonna give them physical keys to a safety deposit box that we have built inside one of these two safes that actually has the smart cards in there."

And why not giving them cards?

"This system has to operate. It cannot fail. If we have a 9/11 situation, or something where these people cannot travel here, we have to be able to get at these keys," said Lamb.