[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: PKI Disaster Recovery and Key Rollover

Peter,

The point you mention, seems to me in between technical matters and juridical matters.

It is addressed in different ETSI documents that may be downloaded free of charge from: 
http://www.etsi.org/services_products/freestandard/home.htm

In particular ETSI TS 101 456 and ETSI TS 102 042.

Here is an extract from ETSI TS 101 456:

7.4.9	CA termination

The CA shall ensure that potential disruptions to subscribers and relying parties are minimized 
as a result of the cessation of the CA's services, and ensure continued maintenance of records 
required to provide evidence of certification for the purposes of legal proceedings (see the 
Directive [1], annex II (i)). In particular:

a)	Before the CA terminates its services the following procedures shall be executed as a minimum:

-	the CA shall inform all subscribers, relying parties and other CAs with which it has agreements 
    or other form of established relations.

NOTE:	The CA is not required to have a prior relationship with the relying party.

-	the CA shall terminate all authorization of subcontractors to act on behalf of the CA
    in the performance of any functions related to the process of issuing certificates;
-	the CA shall perform necessary undertakings to transfer obligations for maintaining 
    registration information (see clause 7.3.1) and event log archives (see clause 7.4.11) 
    for their respective period of time as indicated to the subscriber and relying party (see clause 7.3.4);
-	the CA shall destroy, or withdraw from use, its private keys, as defined in clause 7.2.6.

b)	The CA shall have an arrangement to cover the costs to fulfil these minimum requirements 
      in case the CA becomes bankrupt or for other reasons is unable to cover the costs by itself.

c)	The CA shall state in its practices the provisions made for termination of service. 
    This shall include:
-	the notification of affected entities;
-	the transfer of its obligations to other parties;
-	the handling of the revocation status for unexpired certificates that have been issued.

Do you think that some parts of this text should be incorporated in the current draft ?

Denis

===============================================================

>"Denis Pinkas" <denis.pinkas@xxxxxxxx> writes:
>
>>This document presents a framework to assist the writers of policy or
>>practice statements and the designers of a Public Key Infrastructure to
>>prepare disaster recovery plans in case of a private key-compromise or a
>>private key-loss. This may happen to end-entity keys, Certification
>>Authorities, Revocation Authorities, Attribute Authorities, or Time-Stamping
>>Authorities.  Since certificates have finite validity, CA key-rollover should
>>be planned in advance.
>
>Should it also cover the far more serious problem of the CA going out of
>business?  I've talked to users of a number of CAs that have failed and the
>effect has been pretty chaotic on relying parties and users: one day the CA
>just isn't there any more, and everything stops working.  This seems to be by
>far the most serious real-world-impact CA issue that I've encountered, but
>it's not even considered in any PKI documentation that I know of.
>
>Peter.
>
>

Regards,

Denis Pinkas