PKI root signing ceremony, etc.
Rich Salz
rsalz at datapower.com
Sun Dec 14 20:44:12 EST 2003
> *shrug* it doesn't retroactively enforce the safety net - but that's ok,
> most MS products don't either :)
The whole point is to enhance common practice, not stay at the lowest
common denominator.
> Key management and auditing is pretty much external to the actual software
> regardless of which solution you use I would have thought.
You'd be wrong. :) I did just download and use XCA for a little bit.
It's practically impossible to audit. Every key in the database is
protected with the same password. The system ask for the password
as soon as it starts up. If I leave the program running while
I leave my computer, I'm screwed. The key-holder isn't asked to
confirm each signing -- there's no *ceremony* -- and they never
enter the password after the program starts. For any kind of root
these are all very bad.
XCA is pretty nice for a Level-2 or small Level-1 CA. The template
management, etc., is pretty good. (Having them tied to the key database,
and having the keys be unlocked while making cert requests, are both
real bad ideas, however.)
/r$
--
Rich Salz Chief Security Architect
DataPower Technology http://www.datapower.com
XS40 XML Security Gateway http://www.datapower.com/products/xs40.html
XML Security Overview http://www.datapower.com/xmldev/xmlsecurity.html
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list