[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: PKI Disaster Recovery and Key Rollover

To: Denis Pinkas <denis.pinkas@xxxxxxxx>, pkix <ietf-pkix@xxxxxxx>
Subject: Re: PKI Disaster Recovery and Key Rollover
From: Andy Nourse <nourse@xxxxxxxxx>
Date: Wed, 18 Jul 2007 18:06:03 -0700
Authentication-results: sj-dkim-1; header.From=nourse@xxxxxxxxx; dkim=pass ( sig from cisco.com/sjdkim1004 verified; );
Cc: Joel Kazin <Joel_Kazin@xxxxxxxxxxxxxxxxxx>, Stefan Santesson <stefans@xxxxxxxxxxxxx>
Dkim-signature: v=0.5; a=rsa-sha256; q=dns/txt; l=1506; t=1184807177; x=1185671177; c=relaxed/simple; s=sjdkim1004; h=Content-Type:From:Subject:Content-Transfer-Encoding:MIME-Version; d=cisco.com; i=nourse@xxxxxxxxx; z=From:=20Andy=20Nourse=20<nourse@xxxxxxxxx> |Subject:=20Re=3A=20PKI=20Disaster=20Recovery=20and=20Key=20Rollover |Sender:=20; bh=bnsVq6VW1nFdSr46zos8fbr/7xEhKxhtM/Y6LcQkJSE=; b=cqgA7oCrdAHzwXsW5TNWB7BOz9IdSwo2fPIAay6eKbBZLAPyQfFhkRFdrPZXzjn1o/oXXX0Q I/lFi2wlHl9DBIjUYV5boghEUsNzSyqCgpMlAcRFj6QZkXYFoFnW9JNJc7AOiqLds3+6gI84JC 0ZOaPeC1CO7hxsxKGE2RtaP1U=;
In-reply-to: <OF96474FBA.D532CCE0-ONC1257313.004B9072@xxxxxxxxxxxx>
List-archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-id: <ietf-pkix.imc.org>
List-unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
Sender: owner-ietf-pkix@xxxxxxxxxxxx
Thread-index: AcfJoPoGONaAoDWUEdyTnAAUUWXcbA==
Thread-topic: PKI Disaster Recovery and Key Rollover
User-agent: Microsoft-Entourage/11.3.3.061214

On 7/9/07 6:45 AM, "Denis Pinkas" <denis.pinkas@xxxxxxxx> wrote:

> 
> To the WG,
> 
> I edited together with Joel Kazin an individual Internet-Draft that has been
> placed on the IETF web server.
> The target category is INFORMATIONAL.
> 
> The document is now available at:
> https://datatracker.ietf.org/drafts/draft-pinkas-pkix-pki-dr-kr
> 
> The abstract is the following:
> 
>    This document presents a framework to assist the writers of policy
>    or practice statements and the designers of a Public Key
>    Infrastructure to prepare disaster recovery plans in case of a
>    private key-compromise or a private key-loss.  This may happen to
>    end-entity keys, Certification Authorities, Revocation Authorities,
>    Attribute Authorities, or Time-Stamping Authorities.  Since
>    certificates have finite validity, CA key-rollover should be
>    planned in advance.

Key rollover is included in the SCEP draft:
http://www.ietf.org/internet-drafts/draft-nourse-scep-15.txt
For CA certificates, we have the ability to retrieve the "next" certificate,
which is the certificate that will replace the current CA certificate when
it expires.  The SCEP response is signed by the current CA cert, as it is
intended that the "next" certificate be retrieved while the current one is
still valid.

Normally, CA key rollover would happen when the CA key expires, but it could
be done early in the event of key compromise or loss.

Andy Nourse
Cisco Systems

References:
- PKI Disaster Recovery and Key Rollover
  - From: Denis Pinkas

Prev by Date: Last chance to supercharge your performance
Next by Date: Be the "biggest" out of all your friends
Previous by thread: RE: PKI Disaster Recovery and Key Rollover
Next by thread: Re: PKI Disaster Recovery and Key Rollover
Index(es):
- Date
- Thread