[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: PKI Disaster Recovery and Key Rollover

To: denis.pinkas@xxxxxxxx, ietf-pkix@xxxxxxx
Subject: Re: PKI Disaster Recovery and Key Rollover
From: pgut001@xxxxxxxxxxxxxxxxx (Peter Gutmann)
Date: Wed, 11 Jul 2007 18:46:45 +1200
Cc: Joel_Kazin@xxxxxxxxxxxxxxxxxx, stefans@xxxxxxxxxxxxx
In-reply-to: <OF96474FBA.D532CCE0-ONC1257313.004B9072@xxxxxxxxxxxx>
List-archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-id: <ietf-pkix.imc.org>
List-unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
Sender: owner-ietf-pkix@xxxxxxxxxxxx

"Denis Pinkas" <denis.pinkas@xxxxxxxx> writes:

>This document presents a framework to assist the writers of policy or
>practice statements and the designers of a Public Key Infrastructure to
>prepare disaster recovery plans in case of a private key-compromise or a
>private key-loss. This may happen to end-entity keys, Certification
>Authorities, Revocation Authorities, Attribute Authorities, or Time-Stamping
>Authorities.  Since certificates have finite validity, CA key-rollover should
>be planned in advance.

Should it also cover the far more serious problem of the CA going out of
business?  I've talked to users of a number of CAs that have failed and the
effect has been pretty chaotic on relying parties and users: one day the CA
just isn't there any more, and everything stops working.  This seems to be by
far the most serious real-world-impact CA issue that I've encountered, but
it's not even considered in any PKI documentation that I know of.

Peter.

Follow-Ups:
- RE: PKI Disaster Recovery and Key Rollover
  - From: Santosh Chokhani

References:
- PKI Disaster Recovery and Key Rollover
  - From: Denis Pinkas

Prev by Date: Don't get left behind
Next by Date: Re: PKI Disaster Recovery and Key Rollover
Previous by thread: PKI Disaster Recovery and Key Rollover
Next by thread: RE: PKI Disaster Recovery and Key Rollover
Index(es):
- Date
- Thread