Seven People Hold the Keys to the Internet, Literally

In the event a cyber attack cripples the World Wide Web, seven members of a “chain of trust” have been given the responsibility of restarting the Internet, with each individual armed with a key.

The key holders include one member from each of the following countries: Britain, the U.S., Trinidad and Tobago, Canada, China, Burkina Faso and the Czech Republic.

According to, five of the seven would need to gather at a U.S. base with their keys in order to restart the Internet.

PopSci further described the keys:

The keys are actually smartcards that each contain parts of the DNSSEC root key, which could be thought of as the master key to the whole scheme. But it is interesting to know that there is a group of individuals out there that hold actual, physical keys that would reboot the Internet as we know it.

A video on the CommunityDNS website shows the keys and provides more background information on how they function. CDNS CEO Paul Kane was appointed by ICANN as one of the seven individuals, dubbed Trusted Community Representatives (TCR).

Tweet about this on TwitterShare on FacebookShare on Google+Share on RedditEmail this to someone


  1. 0
    Kincyr says:

    I’m surprised China has a key, what with the Great Firewall and all

    岩「hey Glenn Beck, I heard you oppose Net Neutrality, so we blocked your site.」

  2. 0
    hcf says:

    Forgive me for saying, I do not think that you do get it.  Imagine if you knew an African tribesman who contributes code to open source projects on a regular basis, participates in IETF protocol documentation and definitions, and generally advances the state of the art in Internet services in his home country (making the Internet deployable and reachable by his countrymen so that they can be enriched by it)?  A man who has a long standing reputation as being honest and trustworthy?  Would it seem so strange that this individual is selected?

    I can’t imagine what three you are referring to.  TT and BF maybe (and I admit I don’t know those two men, but I assume they are involved in advancing their respective country’s abilities to connect), but what is your "at least 3" 3rd?  CZ has hosted one and is hosting another IETF this year, at a time when US megacorporations refuse to do so (due to suddenly losing their marketing budgets to recession), and Ondřej’s contributions to the open source and DNS communities are manifold.  CN couldn’t possibly make your list of "backwards countries" because they have by vast majority the most Internet users of any nation, and their contributions are manifold – CNNIC has been instrumental in this very work.

    People are not caricatures of the countries they reside in.

  3. 0
    Kajex says:

    Albert, with the power of Online Gaming!

    Howard, with the power of Embedded Videos!

    John, with the power of Political Forum Flame-Wars!

    Stacey, with the power of Rumors About Girls On The Internet!

    Chris, with the power of the Chan Boards!

    Jamal, with the power of YTMND!

    And Ma-ti, with the Power of Heart!

    By your powers combined, I am TED STEVENS.

  4. 0
    Austin_Lewis says:

    I get that, but at least three of those people are from countries that have little to no worth that I’m aware of to the international community.

    It’d be like giving the key to an African tribemsen; it makes no freaking sense.

  5. 0
    hcf says:

    The countries are not receiving the key.  Specific people are receiving either access to the keys that unlock the key (TCO’s) or key shares – parts of the key that can be used to reconstitute the key if it is lost.  The key itself is safely locked away.

    Be careful what you call stupid.  Without DNSSEC signing the root delegations down to ‘’, you are highly vulnerable to attack.  In recent years, with the Kaminsky vulnerability for example, we have done our best to protect the operating DNS from incursion – using tricks and hacks to make incursion harder – but any solution short of DNSSEC is a temporary one.

  6. 0
    gellymatos says:

    So…hypothetically…if kidnapped these men…took their keys… then shutdown the internet…

    THE WORLD WOULD BE AT MY MERCY!!! I’ll give back the internet for… 1 million dollars!!! MUHAHAHAHAHA! AHAHAHAHAH! ahahahhahaha! hahaha! eh.



    "The difference between genius and stupidity is that genius has its limits." -Albert Einstein

  7. 0
    Austin_Lewis says:

    ‘Britain, the U.S., Trinidad and Tobago, Canada, China, Burkina Faso and the Czech Republic.’


    These are the countries that get the keys really?  1 is a communist dictatorship, and 3 are basically irrelevant.  This is stupid.

    I mean, the idea itself is stupid, but still..


  8. 0
    Magic says:

    There may be references to it, but I doubt it. The whole point of New Vegas is for most of the original designers to do a true FallOut sequel.

    Venturing across the wasteland to find the keys would be like in the "You gotta shoot ’em in the head" quest in FO 3 (Where you have to steal \ find keys for the fort for Mr Crowley), but there could be a twist where the quest giver just wants access to porn. 😀

  9. 0
    hellfire7885 says:

    I’m not saying this is true, but if it is they better have kept al lthose key holders anonymous. It wouldn’t just be the obvious terror groups who would have an interest in gettign their hands on such an items.

  10. 0
    hcf says:

    The "kill switch" is unrelated to DNSSEC or the need to recover DNSSEC KSK’s (Key-Signing-Key).  The recent executive powers discussions to disable networks is an access issue, whereas the DNS root zone (and thus the mechanics of signing and trusting the signatures of the root zone) is a service you would want to access.

    The root DNS zone (that delgates to .com, .net, and the various CC-TLD’s) is now signed with DNSSEC.  This has been a twenty year program to secure the DNS from spoofing or brute force transaction-ID insertion attacks (a la Kaminsky).  The problem posed by cryptography is where you anchor your trust.  What sort of cryptography and what key do you trust, and who has access to it?  The problem posed is that it is not enough for a key to exist – if that key can be subverted, then you don’t actually have something you can trust effectively.  If the key can be destroyed, then you don’t have a reliable system you can put your faith in to operate without significant flaw.

    So you have to lock away the private key in a safe place.  But for the community to have trust in that key, you have to have a compelling story about why that private key can’t be subverted by e.g. one person acting alone.

    So you have ICANN’s key policy, which involves people they call "TCO’s" to govern access to the KSK for ZSK purposes, enabling ICANN to extract the key from the safe for a signing event before putting it away.  And RKSH’s should the hardware the KSK is stored on should fail, or succumb to natural disaster – for recovery of the private key.

    TCO is ‘Trusted Cypto Officer’.  Several times a year, the KSK (Key Signing Key) of the root zone needs to be unencrypted so that it can sign new ZSK’s (Zone Signing Key).  TCO’s each hold a part of the key to perform this operation, from memory I believe only 3 of 7 of one set of TCO’s is required to perform this operation.  There are two sets of 7 TCO’s, 14 total, each 7 corresponding to one of the two key safe facilities on the East and West coast.

    RKSH is Recovery Key Share Holder.  There are only 7 of these, global to both facilities.  Each RKSH carries a portion of the KSK, and if I remember from Joe Abley’s presentation correctly only 5 of 7 are required to reassemble the key should it be lost.  Note that this just recovers the original KSK private key.  It does not solve the problem of incursion.  If someone cracks the key, what you need is a new key.  Recovering a copy of the old key does not help.

    This is where people get confused.  It is not tacitly required that the 7 RKSH’s must assemble in one of the two key safes to recover the key.  They could theoretically assemble anywhere.  In practical terms, because ICANN is under contract to the US Department of Commerce, I would expect that the RKSH’s would assemble in a new US key safe facility if both of the old US facilities had succumbed to some natural disaster or destruction.

    Note finally that the RKSH’s would not be needed until or unless the ZSK’s expire.  The loss of the key safe facilities does not "break the Internet."  It just disables ICANN’s ability to "key roll", or produce new ZSK’s signed by the KSK.  The old ZSK’s will continue to function just fine for as long as the keys are valid (I haven’t looked, but it is anywhere from several months to several years).

  11. 0
    Arell says:

    I have since thought about the whole "kill switch" thing, and now I’m even more confused.  The kill switch basically is just a dramatic way of saying that they turn off the telecommunication networks so a critical cyber attack cannot spread anymore.  Why would you need to give 7 different people from around the world the responsibility of turning it back on?  Why couldn’t the people who turned them off in the first place just do it themselves?  Is there some security risk I’m missing here, where we can’t trust the people in charge to do it?  If so, why do we trust them to turn it off in the first place?  Also, the kill switch only applies to the US, since the President would really only have the authority to tell telecommunication companies based in this country to switch off, nowhere else.  So why give the "keys" to people all around the world?  And then they all have to gather back here in the US to use them?  What is the point of all that?

    Not to mention, how the government plans to function during a crisis, with all communications offline.  You can’t "just" turn off the internet, as long as phone and tv cable lines are still working, packets of data can still be passed.  So you have to turn the whole damn thing off, leaving everyone completely isolated.  Unless they plan on running everything with shortrange radios.  I don’t know, this all seems incredibly stupid and not thought out….

  12. 0
    hcf says:

    At the IETF 78 meeting in Maastricht (where I am sitting right now), at the first DNSOP meeting, Joe Abley and another man I can’t remmeber his name offhand presented a nicely detailed explanation of how the key systems work and the reasons for the precautions to recover the keys in the event of catastrophe.

    There are two key safes in the US, one on each coast, and you have to understand that ICANN and Verisign operate the root DNS zone under contract – to the US Department of Commerce.

    So brining us back to your question:  The reason it had to be a facility in the U.S. is because that is a requirement stipulated by the US Department of Commerce.

  13. 0
    Roh02 says:

    why do they have to meet in the US? why not any of the other countries?.

    can the "hero" assemble 5 of the 7 keys and weild the master key once more in time to save the internet and rescue the princess. The legend of Zelda: KEYS OF THE INTERNET.

  14. 0
    hellfire7885 says:

    Since a good chunk of each game is a quest to give humanity a small stepping stone to get bakc on their feet, yes, yes it does. I do wonder if in New Vegas there will be any implications i nthe Mojave from Project Purity n the Capital Wastes

  15. 0
    Neeneko says:

     It is a rather melodramatic way of describing it….

    It is also a rather strange image since the whole point of the original design for the internet (i.e. from its ARPANET days) was that it could survive attacks on pieces of it (i.e. nukes) and still keep the remaining pieces connected and able to communicate with each other.

    Which the modern internet is still quite capable of doing…..

  16. 0
    Arell says:

    Either I’ve become completely out of touch with how the Internet actually works, or this sounds like a heaping pile of crap.  "Reboot the Internet?"  Isn’t the web just a series of millions of individual servers, each acting independantly to swap data packets over established telecommunication networks, from literally every region of the world?  How could you possibly "reboot" that, how does that even make sense?  Are they saying they have backup copy of the entire contents of every server in the world, and they can just turn a key to redownload it all everywhere at once?????


    EDIT:  Ugh, I really need to click on the links provided before responding to an article.  Nevvermind all the above.  I’ll just leave it up there to remind myself of my own idiocy.  :p

Leave a Reply