IHS ikeyman - PCI compliance - Split Knowledge and Dual Control

[sapaul]

I am trying to figure out the best practice to obtain PCI (payment card industry) compliance - especially the split knowledge and dual control portion using ikeyman for certificates from a CA provider.

Split knowledge is "a condition under which two or more parties separately have key components which, individually, convey no knowledge of the resultant cryptographic key. The resultant key exists only within secure equipment." Dual control is explained in the standard as "a process of utilizing two or more separate entities
(usually persons), operating in concert, to protect sensitive functions or information." Split knowledge and dual control may be used to protect the centrally stored user secret keys and root private keys, secure the distribution of user tokens, and initialize all cryptomodules in the system to "authorize" their use in performing cryptographic functions within a system.

Using ikeyman, it seems to me that one person must have the ability to see both the public and the private key. I am wondering if anyone has achieved PCI compliance using ikeyman and if they can point me in a direction with some answers. Thanks for your help.

[Sunit Patke]

ikeyman is used for managing the certificates (public key and private key)
stored in a key database. This is used for securing (encrypting) the traffic
over the network. e.g. between browser and HTTP server and/or between HTTP
server and application server.

PCI compliance also requires that credit card data if stored in your system
be encrypted. The cryptographic keys used for encrypting this data should
have dual control and split knowledge.

- Sunit

"sapaul" <sp...@mmm.com> wrote in message
news:2065691625.1255364619747.JavaMail.wassrvr@ltsgwas009.sby.ibm.com...