Subject: Policy-Discussion
List archive
- From: Duane <duane AT cacert.org>
- To: Policy-Discussion <cacert-policy AT lists.cacert.org>
- Subject: Re: [CAcert-Policy] What is CAcert's mission?
- Date: Wed, 22 Feb 2006 08:22:59 +1100
- List-archive: <http://lists.cacert.org/cgi-bin/mailman/private/cacert-policy>
- List-id: Policy-Discussion <cacert-policy.lists.cacert.org>
Peter Williams wrote:
This is why I have such respect for Microsoft - not contempt, as many folks express. As an engineer, one can work in the Apple-style camp
This has nothing directly to do with your post per se, but others are making posts about the lost of a root key, and this kind of fits because of your comments about MS...
I've known for a very long time how to handle root and sub keys/certificates correctly, and in fact MS publish documents on this topic that go pretty close to what I'm going to describe.
First of all the main root certificate should be stored offline, preferably in a 1 way hardware device that can only be used to sign other roots, but failing that something like PGP/GPG's method of requiring multiple keys to decrypt it, one could even go so far as having the main root held by a third party such as a lawyer which is bound by contract to only turn it over if XYZ occurs (things like needing new sub roots, the loss of a sub root and subsequent revoke and re-issue, so on and so forth).
The only root certificates that are directly accessible are sub-roots, as I tried to describe in previous emails, this system wasn't adopted in the past due to the perception that the most secure system in the world is all well and good, but what's the point if no one actually uses it.
While issuing a completely new root certificate for a completely new private key embedded in a one way hardware device would be nice and all, there are a few problems with this as well, such as most hardware devices only allowing up to 2048bits. Ok so only 640 bit certificates have been brute forced in a reasonable amount of time, the primary root certificate has to last at least 10-30 years due to browser acceptance policies.
Also I have a slight worry about wanting to keep the existing user base from being ticked off, it's the early adopters that are helping to promote us, and it's the early adopters we need to keep on side most of all, so simply stating once we have browser inclusion everything will be rosey, if only it were going to be true :)
So my thoughts on the topic are as follows, we hold a key party with a number of witnesses and perhaps even video tape the whole procedure, and we issue a new root key and sign it by the existing root key. We then produce an encrypted copy of the private key with m of n GPG keys which is burnt onto CD to be held by a trust third party under escrow contract.
Next a number of sub-root keys/certs are issued and signed by the new root, we will need to put a lot of thought into descriptions, OIDs and so forth on the certificates so we don't end with people griping for whatever reason.
Once all this occurs we destroy any and all copies of the existing private key, and only issue new certificates from the sub-roots stored on hardware module(s).
--
Best regards,
Duane
http://www.cacert.org - Free Security Certificates
http://www.nodedb.com - Think globally, network locally
http://www.sydneywireless.com - Telecommunications Freedom
http://e164.org - Using Enum.164 to interconnect asterisk servers
"In the long run the pessimist may be proved right,
but the optimist has a better time on the trip."
- Re: [CAcert-Policy] What is CAcert's mission?, Ian G, 02/16/2006
- Re: [CAcert-Policy] What is CAcert's mission?, Peter Saint-Andre, 02/16/2006
- Re: [CAcert-Policy] What is CAcert's mission?, Ian G, 02/16/2006
- Re: [CAcert-Policy] What is CAcert's mission?, Peter Saint-Andre, 02/16/2006
- ***Spam*** Re: [CAcert-Policy] What is CAcert's mission?, Philipp Gühring, 02/16/2006
- Re: ***Spam*** Re: [CAcert-Policy] What is CAcert's mission?, Peter Saint-Andre, 02/16/2006
- RE: ***Spam*** Re: [CAcert-Policy] What is CAcert's mission?, Peter Williams, 02/21/2006
- Re: [CAcert-Policy] What is CAcert's mission?, Duane, 02/21/2006
- ***Spam*** Re: [CAcert-Policy] What is CAcert's mission?, Philipp Gühring, 02/16/2006
- Re: [CAcert-Policy] What is CAcert's mission?, Peter Saint-Andre, 02/16/2006
- Re: [CAcert-Policy] What is CAcert's mission?, Ian G, 02/16/2006
- Re: [CAcert-Policy] What is CAcert's mission?, Peter Saint-Andre, 02/16/2006
Archive powered by MHonArc 2.6.16.