[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: RFC 2527 Physical Security Controls Question
In a message dated 12/15/99 1:42:10 PM Eastern Standard Time,
BJUENEMAN@novell.com writes:
<< There are certainly a number of commercial applications where the use
an armed, lethal, and strong response to a forcible intrusion or attack
would
be both prudent and justifiable. I am thinking about a nuclear reactor, a
control center that administers regional gas or electrical power supplies,
a major banking facility, a printing company that prints Traveler's Checks,
etc. >>
This is exactly the kind of debate I wanted to spark, and I agree
wholeheartedly with your reasoned response. I agree that the danger to a CA
that only issues signing keys is minimal... A CA that issues encryption keys
is another matter, since it's compromise or destruction could render
extremely valuable information unrecoverable.
While in the US and UK, there is the common theme that you only take life to
protect life, there are other countries (and subcultures like organized
crime) who take a markedly different view. God forbid one of us ever gets
hired to build a CA for the Russian Mafia....
I think the Industrial Security Manual is an excellent starting point since
it mirrors most DOD standards. But it also has one significant weakness; it
was initially written to protect paper documents and other concrete (as
opposed to virtual) objects. Special care must be taken to protect against
the latest and greatest threats (perhaps EMP) to computers.