Jeffrey I. Schiller j...@mit.edu writes:
Because of prior experience with a SafeKeyper(tm) (a very large HSM), I
learned that when the only copy of your key is in an HSM, the HSM vendor
really owns you key, or at least they own you!
I thought the Safekeypers had a cloning mechanism (as do things
Nicolas Williams nicolas.willi...@sun.com writes:
This goes to show that we do need a TA distribution protocol (not for the
web, mind you), and it needs to use PKI -- a distinct, but related PKI.
... and now you have two (probably unsolveable) problems instead of one.
In addition because
Jeffrey I. Schiller j...@mit.edu writes:
Our current Server CA certificate will expire in 2026 (when hopefully it
won't be my problem!).
Thus the universal CA root cert lifetime policy, the lifetime of a CA root
certificate is the time till retirement of the person in charge at its
creation,
Hi,
Our current Server CA certificate will expire in 2026 (when hopefully it
won't be my problem!).
Thus the universal CA root cert lifetime policy, the lifetime of a CA root
certificate is the time till retirement of the person in charge at its
creation, plus five years :-).
This neglects the
I haven't been able to find an English version of this, but the following news
item from Germany:
http://www.heise.de/security/E-Gesundheitskarte-Datenverlust-mit-Folgen--/news/meldung/141864
reports that the PKI for their electronic health card has just run into
trouble: they were storing the
http://www.heise.de/security/E-Gesundheitskarte-Datenverlust-mit-Folgen--/news/meldung/141864
reports that the PKI for their electronic health card has just run into
trouble: they were storing the root CA key in an HSM, which failed. They now
have a PKI with no CA key for signing new certs or
- Peter Gutmann pgut...@cs.auckland.ac.nz wrote:
I haven't been able to find an English version of this, but the
following news item from Germany: ...
It is exactly for this reason that when we generated the root key for
the U.S. Higher Education PKI we did it outside of an HSM and then
At 5:58 PM +1200 7/13/09, Peter Gutmann wrote:
I haven't been able to find an English version of this, but the following news
item from Germany:
http://www.heise.de/security/E-Gesundheitskarte-Datenverlust-mit-Folgen--/news/meldung/141864
Hi,
reports that the PKI for their electronic health card has
just run into
trouble: they were storing the root CA key in an HSM, which
failed. They now have a PKI with no CA key for signing new
certs or revoking existing ones.
Suppose this happens in a production environment of some CA
At 11:09 PM +0200 7/14/09, Weger, B.M.M. de wrote:
Any other problems? Maybe something with key rollover or
interoperability?
Bingo. Key rollover has been thinly tested in relying parties.
--Paul Hoffman, Director
--VPN Consortium
On Tue, Jul 14, 2009 at 11:09:41PM +0200, Weger, B.M.M. de wrote:
Suppose this happens in a production environment of some CA
(root or not), how big a problem is this? I can see two issues:
- they have to build a new CA and distribute its certificate
to all users, which is annoying and maybe
Weger, B.M.M. de wrote:
- if they rely on the CA for signing CRLs (or whatever
revocation mechanism they're using) then they have to find
some other way to revoke existing certificates.
...
Seems to me that for signing CRLs it's better to have a separate
Revocation Authority (whose
12 matches
Mail list logo
