[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: RFC 2527 Physical Security Controls Question

To: "MHenry" <MHenry@xxxxxxx>, <ietf-pkix@xxxxxxx>
Subject: RE: RFC 2527 Physical Security Controls Question
From: "John C. Kennedy" <jkennedy@xxxxxxxxxxxxxx>
Date: Tue, 14 Dec 1999 11:34:40 -0800
Cc: <pki-twg@xxxxxxxxxxxxxxxxxxx>
Importance: Normal
In-reply-to: <>

Michael,

I do not think it is unreasonable to assume that a CA's adversaries might be
national services, organized crime, or other organizations of similar
strength.  With attacks based on differential power analysis
(http://www.cryptography.com/dpa/Dpa.pdf) and related techniques becoming at
least theoretically possible, a TEMPEST-shielded SCIF-style design might not
be a bad idea.

While this might be overkill for a private enterprise CA, a commercial CA
might very well find such protection measures reasonable and worth the cost.
Remember that the compromise of the CA's private key may never become
evident to the CA.  Also, given the loss of credibility that would be
incurred, the CA might be very reluctant to go through the very onerous task
of revoking and replacing its root keys.  I am fairly certain that
obligations to the CA's subscribers as well as its stockholders would be
part of the decision process.  As a point of reference, I have heard a
number of anecdotal stories about large banks that decided to simply absorb
losses from electronic break-ins rather than make such situations public and
risk loss of consumer confidence and/or higher insurance rates.

-John Kennedy
jkennedy@trustpoint.com

> -----Original Message-----
> From: MHenry [mailto:MHenry@PEC.com]
> Sent: Friday, December 10, 1999 11:08 AM
> To: 'ietf-pkix@imc.org'
> Cc: 'pki-twg@csmes.ncsl.nist.gov'
> Subject: RFC 2527 Physical Security Controls Question
>
>
> All,
>
> RFC 2527( CP and CPS Framework), 4.5.1,Physical Security
> Controls, includes
> site location and CA facility construction , as topics that should be
> considered in a CP or CPS.
>
> I am in the process of writing a CP/CPS and I am looking for standards
> that would apply to this section.
>
> Can anyone point me towards an industry/private sector/civil side of
> government "standard" for hardening a facility. I am particularly looking
> for some sort of of construction standards that would permit me to
> distinguish between, for example, a CA facility that might fairly be
> described as being built to support a "high" standard of
> security/assurance
> and one built to a "medium" standard. Can it be wood? brick? steel? one
> story? windows?
> etc?
>
> I spent decades concerned with SCIF designs and vulnerabilities but
> I don't think that is what I need here. My potential adversaries are not
> national services and what I am protecting is not of such persistent high
> value to most people.
>
> Thanks,
> Michael C. Henry
> Principal Member of the Technical Staff
> Performance Engineering Corporation
> 3949 Pender Drive
> Fairfax, VA
>
>
>
>

Follow-Ups:
- RE: RFC 2527 Physical Security Controls Question
  - From: Stephen Kent

References:
- RFC 2527 Physical Security Controls Question
  - From: MHenry

Prev by Date: Re: cert == crl
Next by Date: RE: RFC 2527 Physical Security Controls Question
Previous by thread: RFC 2527 Physical Security Controls Question
Next by thread: RE: RFC 2527 Physical Security Controls Question
Index(es):
- Date
- Thread