Hi,
Those who are interested in key management may wish to note:
Cryptographic Key Management Workshop 2014
http://www.nist.gov/itl/csd/ct/ckm_workshop2014.cfm
March 4-5, 2014, NIST, Gaithersburg MD
See also:
SP 800-152
DRAFT A Profile for U. S. Federal Cryptographic Key
Paul Fraser asked:
#Software and physical safe keeping of Root CA secret key are central to
#security of a large set of issued certificates.
#
#Are there any safe techniques for handling this problem taking into account the
#need to not have the control in the hands of one person?
#
#Any links
Hi,
strife asked:
#Can anyone enlighten me why client TLS certificates are used so rarely? It
#used to be a hassle in the past, but now at least the major browsers offer
#quite decent client cert support,
Not quite seeing eye-to-eye with you on the quite decent client cert
support point, I'm
ianG asked:
#Would it be possible to describe in general words what LOA-1 thru 4 entails?
I hesitate to try to do so. The definitive answer can be found in
http://csrc.nist.gov/publications/nistpubs/800-63/SP800-63V1_0_2.pdf
and includes many subtle and important points, but just to focus
Chris Palmer commented:
# Well, its obviously not quite that easy yet, but users can currently get
# a free client cert by visiting a web page and filling out a form, and
#
#IanG's point was that there should be no web page, no form. You know
#how sshd generates a host key when there isn't one
Ian asked:
#Right -- how to fix the race to the bottom?
Wasn't that supposed to be part of the Extended Validation solution?
If it has failed at that, and I could see arguments either way, the
other natural solution is probably government regulation. It likely
wouldn't be pretty, but imagine:
Peter Gutmann pgut...@cs.auckland.ac.nz commented:
#[0] I'm being conservative here, in practice I don't recall seeing anyone
#expressing faith in PKI, but I didn't read every one of the vast numbers
#of comments.
Well, I'd suggest that NIST 800-63