User: Password:
|
|
Subscribe / Log in / New account

Just a user interface issue?

Just a user interface issue?

Posted Feb 28, 2013 22:59 UTC (Thu) by Lennie (guest, #49641)
In reply to: Just a user interface issue? by mjg59
Parent article: Loading keys from Microsoft PE binaries

If we forget for a moment that for this purpose doing a custom CA is not useful in this case... as I wasn't thinking properly.

Doing a secure custom CA needs these things, I guess ?
- processs/time/people
- physical security
- key security
- redundancy of the physical security - and key security solution

If you get yourself some cheap netbooks with a builtin TPM and install Linux on it you can then store two copies of your keys in two seperate safes possibly in different buildings. Then you have 3 things solved.

An east european TLD does this for their DNSSEC keysigning keys if I remember correctly. The zone singing keys are on a machine behind a firewall which is used to push updates to the publicly visible servers.

In DNSSEC the zone signing keys are used to sign the DNS data and key signing keys are used to sign the zone signing keys every couple of months.


(Log in to post comments)

Just a user interface issue?

Posted Feb 28, 2013 23:36 UTC (Thu) by raven667 (subscriber, #5198) [Link]

Take a look at the requirements for WebTrust to get an idea of some of the basic minimums of procedures that need to be followed, documented and audited.

http://www.webtrust.org/homepage-documents/item27839.aspx

Just a user interface issue?

Posted Feb 28, 2013 23:45 UTC (Thu) by Lennie (guest, #49641) [Link]

Depends what you use it for of course, but if you want to get into browers or a sub-CA then yes, WebTrust is where you can go.

I know if that is what you want, you need a lot of stuff done because I've been following what CAcert is doing.


Copyright © 2018, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds