PKI root signing ceremony, etc.

[Dave Howe]

Rich Salz wrote:
>> These days there is a very nice oss/free gui tool which makes the
>> whole process a whole lot easier - check out:
>> http://sourceforge.net/projects/xca
> It's nice to have a GUI, but seeing phrases like
>    For building the chains the CA flag is disregarded ...
> doesn't make me feel very comfortable.
*shrug* it doesn't retroactively enforce the safety net - but that's ok,
most MS products don't either :)
note what it is saying here is that if you *have* a cert signed by a non-CA
key/cert pair, it will still display the chain - not that you can use a
non-ca key/cert pair to sign with (which is another issue; writing software
to sign using non-ca key/cert pairs is trivial though)
XCA enforces the basic constraint for keysigning, just is more lax while
displaying chains.

> Also, there's no discussion of key management, auditing, etc.
nor is there any with OpenSSL - there is revocation list management (which
is more than some commercial CA software in this area provides, and more
than Thawte even bothers to offer :)
Key management and auditing is pretty much external to the actual software
regardless of which solution you use I would have thought. Your rituals are
equally applicable to xca - just the nature of the tool (a pretty gui rather
than a command line exe, script and some config files) has changed.

> XCA is probably useful, but as a
> Level 1 CA, not an enterprise root or management thereof.  Those are
> the points I tried to address in the column.
two level independent CA is possible, by having more than one XCA database.
the location of the database can be specified to be on removable media
(which simplifies things quite a bit :)
assuming you have two databases (a:\master.db and c:\level1.db) just create
two shortcuts to xca with each db passed as a command line parameter - or if
you want to keep *both* on more reliable removable media (say, a thumbdrive)
you could arrange for the autorun.ini on each to automagically launch XCA
when inserted into a usb slot, running xca directly from the thumbdrive (so
no footprint at all on the machine) - this is trival to do with a little bit
of vbscript or batchfile scripting
you could also (if it makes you feel more secure) use Openssl for the root
certificate (which after all doesn't see much use) and XCA for day-to-day
issuing of keys, but there seems little or no reason to do so.

Personally, I keep my XCA databases in scramdisks.

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com