RE: PKI Disaster Recovery and Key Rollover

[pgut001@xxxxxxxxxxxxxxxxx (Peter Gutmann)]

"Santosh Chokhani" <chokhani@xxxxxxxxxxxx> writes:

>The Policy Framework (Informational RFC 3647) has a section on CA and RA
>Termination.

Do you mean section 4.5.8:

   This subcomponent describes requirements relating to procedures for
   termination and termination notification of a CA or RA, including the
   identity of the custodian of CA and RA archival records.

This seems to provide about as much utility as Cygnus' corporate drugs policy
:-).

>I have seen a number of Certificate Policies drafted that describe
>requirements as to what a CA must do prior to termination of service.

Given the number of CAs whose users I've talked to for which the termination
of service consisted of "404 Not Found", I think this is something that needs
to be addressed in more detail.  In particular since this draft is supposed to
cover "PKI Disaster Recovery" and having your CA suddenly vanish is the single
biggest possible disaster than can hit a PKI, I think a fair amount of the
document should be devoted to this.  Where do the CA keys go?  Who issues
CRLs?  (A real-world example there, one national PKI that evaporated suddenly
was left with the problem that while the hardware was still in place, there
were no staff left who knew how to issue a CRL).  Who takes over the defunct
CA's role? Who gets the CA's keys?  (Again, real-world example, they end up on
eBay for sale to the highest bidder).  You could easily write a small book on
all of this, it really is the single most drastic PKI disaster recovery issue
that we have, and probably the most frequently-occurring (CA- rather than EE-
related) one.

Peter.