Re: PKI root signing ceremony, etc.

2003-12-23 Thread Dan Geer
One approach to securing infrequent signing or working keys from a corporate master certificate is to store the certificate in a bank safe deposit box. The certificate generation software (say on a self booting CD or perhaps an entire laptop) could be stored in the safe

Re: PKI root signing ceremony, etc.

2003-12-15 Thread Rich Salz
*shrug* it doesn't retroactively enforce the safety net - but that's ok, most MS products don't either :) The whole point is to enhance common practice, not stay at the lowest common denominator. Key management and auditing is pretty much external to the actual software regardless of which

Re: PKI root signing ceremony, etc.

2003-12-15 Thread Peter Gutmann
Dave Howe [EMAIL PROTECTED] writes: Key management and auditing is pretty much external to the actual software regardless of which solution you use I would have thought. Not necessarily. I looked at this in an ACSAC'2000 paper (available from http://www.acsac.org/2000/abstracts/18.html). This

Re: PKI root signing ceremony, etc.

2003-12-15 Thread Dave Howe
Peter Gutmann wrote: Dave Howe [EMAIL PROTECTED] writes: Key management and auditing is pretty much external to the actual software regardless of which solution you use I would have thought. Not necessarily. I looked at this in an ACSAC'2000 paper (available from

PKI root signing ceremony, etc.

2003-12-14 Thread Rich Salz
Some folks here might be interested in http://webservices.xml.com/pub/a/ws/2003/12/09/salz.html which walks through a secure, auditable root keygen and signing ceremony. The context is using OpenSSL to build a PKI so that we can write an XKMS server, building up to secure Web Services messages