Policy-Discussion

[Elwing <elwing AT elwing.org>]

>> 
> 
> P.S. for those that do not understand the impact of 30 year: if in 10
> year the encryption mechanism that was used to protect the root key was
> broken, we'd have to revoke the key, *unless* we can prove no copies
> exist outside the control of the board. So if we use 10 key holders, and
> after 10 year one or two do not respond, these copies are out there, and
> as such the root cannot be trusted anymore (the encryption *might* be
> broken, and we are *not sure* it's not!). A CA is all about trust and
> reliability, right? Even if everyone would respond and hand over their
> key, we still can't be *sure* a rogue copy does not exists.
> The only way to be a bit more sure it's not copied, is by storing the
> key on a physical device that cannot easily be copied (for instance an
> encrypted and PIN protected smartcard), and have full life-cycle control
> over physical and logical access to that device (for instance in a vault
> with access logging, in a uniquely numbered tamper evident sealbag).
> This is non-existing at the moment, hence the complexity of the problem :-)

I just wanted to respond to this part - is there a lockbox facility at the 
Data center where the root is hosted?  Could it possibly used to store such a 
token?  There's a list of "authorized users" that can request the contents of 
that box, they have the pin to unlock that token. You'd effectively need two 
people: the Data Center manager/operations staff for physical access, and the 
person with the PIN for logical access. The PIN could be changed if necessary.

Another method I've seen (and it's been audited against the Federal bridge, 
but not any of the WebTrust/etc audits) is that the root key is stored on the 
RootCA hard drives.  The drives are RAIDed - 2 need to be brought together to 
bring up the CA.  However, this only works when you've got an off-line root.