ietf-openpgp
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: CDR design document

1997-10-22 06:49:41
from [A. Padgett Peterson P.E. Information Security] [Permanent Link] 
A very well thought out document, the concept of periodic key revalidation 
via server is a good one though I suspect that in the furture and in a
corporate environment, use of the local keyring will dwindle in favor of
use of a trusted server. 

The point about CMR keys is well taken though I would expect that only very 
small organizations will have but a single CMR key/repository. What I am
looking at these days is a different CMR key for each internal entity,
locally administered.

There will then likely be a hierarchy of repositories, each responsible for 
their own traffic. There will probably be a corporate repository of keys only
(please refrain from the horror of it and exclamations of the difficulty
of maintaining security/integrity. Am deliberately making the mechanism
easy to put in/difficult to extract with multiple access controls, not in 
the same locations.

One of the precepts is that the root certificate generator will never be
connected to the network and is stored in a secure container approved
for classified use. This is causing some difficulties: Microsoft IIS
v4.0 servers are insisting that they connect to the root server (which is not
going to happen). Netscape Suite Spot does not seem to have this difficulty,
there is a box that may be ticked to tell it that the root is offline.

Have a feeling that this will be a real problem with Microsoft products - 
seem to allow one and only one master certificate server/generator for the
enterprise and it *must* be online.

One of the things we are looking at is a "shadow" root server which will be
able to receive certificate requests/disseminate approved certificates but
not to generate certificates.

Expect that in a couple of years, all of this will be easy. Right now is
the first time for a *lot* of things and we need to get it right.

                                                Warmly,
                                                        Padgett

ps Just an observation: with the power of today's laptops, using one for a
   root or coprorate repository makes a lot of sense provided you can
   physically secure it. Generally it is simple to swap drives and to verify
   that the network connection is removed before starting in a "sensitive"
   mode. Also the "secure container" does not need to be so large and any
   secretary can remove/replace. With a docking station, the entire unit
   may be removed/replaced as well. Since both very large drives and
   silly amounts of RAM are available, this is not a limitation. Finally
   spares and swapping is easy though it is a good idea to put red bands
   around the sensitive disk(s) so they do not accidently get swapped with 
   non-sensitive. Just make sure they are not easily stolen.
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: New Draft... going forward, Lutz Donnerhacke
Next by Date:  World-wide GAK, Jeffrey Gold
Previous by Thread:  secret sharing (Re: CDR design document), Adam Back
Next by Thread:  PGP 5.5 CMR key examples, mini-review, Greg Broiles
Indexes:  [Date] [Thread] [Top] [All Lists]