Hi Mike, The point of an off-line CA (usually the root) is that this is the 'trust anchor' and often what is distributed to any relying parties as your trust point. All sub-ordinate CAs can be compromised by compromising the root and so it deserves the highest protection.If a sub-ordinate (on-line) CA is compromised, the root can revoke that CA and re-issue another and your PKI continues to function and the trust anchor is still valid. If the root was compromised you have to through it all away and tell any relying parties to remove the root. Using an HSM just improves the overall security of a CA and if the volume of certificates to be issued is very low then keeping the CA off-line also improves security. The actual architecture employed is usually determined by your security policy as reflected in your certificate policy. You could use a low assurance level policy for an on-line / software CA with minimal registration requirements and a high assurance policy for a CA with rigorous registration, CA with HSM and subscriber keys stored/created on hardware tokens. So really the answer depends on what you want to achieve. If I were a relying party and audited your PKI and found an on-line root, ambiguous policy, with software crypto and keys stored in users' profiles I would map that onto one of my low assurance policies and give the certificates you issue the due regard :-) If you are really building a PKI then the architecture comes last after determining the certificate policy - you build a system to provide the level of assurance you need! See RFC 3647 Cheers Si On 26/01/07, Mike Wiseman <[EMAIL PROTECTED]> wrote: > > Hi, > > I see that other CA designs often consist of an offline CA + online > subordinate CA. The > subordinate CA can issue certs quickly due to the online dataexchange > which is very nice > but what about the security risk to the online CA and its signing cert? > Why bother with an > offline CA when unauthorized access to the online CA compromises > everything in that part > of the hierarchy? > > Also, does the use of an HSM to store private keys remove the need for > the attached CA to > be offline? > > Thanks, > > Mike > > > Mike Wiseman > Computing and Networking Services > University of Toronto > > > > > > > > > ------------------------------------------------------------------------- > Take Surveys. Earn Cash. Influence the Future of IT > Join SourceForge.net's Techsay panel and you'll get the chance to share > your > opinions on IT & business topics through brief surveys - and earn cash > > http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV > _______________________________________________ > Openca-Users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/openca-users >
------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT & business topics through brief surveys - and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
_______________________________________________ Openca-Users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/openca-users
