I have also been contemplating my small personal PKI hierarchy. From the top of my head:
The Root CA would function on a dedicated old laptop, disconnected and offline, running off a linux USB stick, with the CA's private keys and intermediate CA's private key backups stored on smart cards, both kept in a safe when not in use. The Intermediate (secondary) CA(s) would run as an online server with PKI management software for CA functions (signing CSRs, revoking certificates and updating CRLs, etc.) for the certificates of users, applications/services, devices, etc. I think this is a good balance between security, and ease of use (and simplicity), at least for my uses. I'd appreciate others thoughts on this setup. - Eric Jean-Michel Pouré wrote: > Le lundi 11 janvier 2010 à 16:53 +0100, Peter Stuge a écrit : >>>> Of course, if your card is damaged, lost or stolen, your >>>> certification should be revoked by the CA and reissued with a new >>>> certification. But you still need the old key to decrypt old data >>>> to re-encrypt with the new key, right? > > This is why I don't intend to generate an RSA key on card. > > I plan to create master, secondary and tertiary CAs: > > * The primary CA is the backup, stored in a safe place. > * The secondary CA can be transferred to one or two smartcards used for > daily administration. > * Then I issue tertiary CAs : one for VPN, one for login, etc ... > > In this situation, I may use my card to administrate tertiary CAs. If > the card is lost, I can revoke the secondary CA or issue a backup card. > > I thought about an alternative where I would create a primary CA on > card, sign-up a secondary CA for daily administration. This would be an > elegant situation without key transfer. But in this case, there is only > one backup and master card. And as I am a newbee, it seems a little bit > tricky to rely on a single card! > > In my opinion, key transfer is more flexible. > What do you think? Any suggestion is welcome. > > Kind regards, > Jean-Michel > > > ------------------------------------------------------------------------ > > _______________________________________________ > opensc-devel mailing list > opensc-devel@lists.opensc-project.org > http://www.opensc-project.org/mailman/listinfo/opensc-devel _______________________________________________ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
