"Jeffrey I. Schiller" <j...@mit.edu> writes: >Because of prior experience with a SafeKeyper(tm) (a very large HSM), I >learned that when the only copy of your key is in an HSM, the HSM vendor >really owns you key, or at least they own you!
I thought the Safekeypers had a cloning mechanism (as do things like Chrysalis cards, although that proved to be not very secure when it was reverse- engineered), and the idea was that you cloned one into the other as a backup? Mind you at $x0,000 per device that's a good business for the HSM vendor. "Weger, B.M.M. de" <b.m.m.d.we...@tue.nl> writes: >Suppose this happens in a production environment of some CA (root or not), >how big a problem is this? I can see two issues: > >- they have to build a new CA and distribute its certificate to all users, > which is annoying and maybe costly but not a security problem, > >- if they rely on the CA for signing CRLs (or whatever0 revocation > mechanism they're using) then they have to find0 some other way to revoke > existing certificates. The original article doesn't make this clear but what's involved here isn't really a PKI in the conventional sense but more something like a master-keyed system in the style of ATM networks. In the same marvellous repurposing of terminology that often occurs elsewhere in smart cards where, for example, a checksum becomes a "signature", in this case the "certificates" are just a jumble of parameters, some stuffed inside the signature itself (via a sign- with-message-recovery mechanism instead of the usual sign-with-appendix) and the rest bound to it through a hash. The "CA" key is more an attestation key, there are no CRLs or certificate-checking in the conventional sense (you can get away with these name games by calling the stored data a "card verifiable certificate", and if you have a "certificate" then what signs it is obviously a "CA", so you get something that seems to be a PKI but isn't). So when you lose your master key as they did in this case and there isn't really a PKI there at all, it really is game over. Even if it was a real PKI, rolling over a root is an incredibly traumatic experience, which one trial found could only be done via a "system rebuild" (in plain english a reformat and reinstall of the whole PKI). This is why CA root certs have a 20-40 year lifetime, so you never end up in a position where you have to roll them over. Peter. --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to majord...@metzdowd.com