BR16.5 key generation ceremony
Varga Viktor
1. Nobody wants to giva access for the a secure zone for a person who is not affiliated with the company, to show him/her, how the most important keys are generated. these secret is a part of the CAs secret.
2. It is impossible to have an independent auditor at the key generations every time, when a key is generated for a subCA. For the presence should be financially compensated, and this relationship can move in the direction of dependent.
3. Video. :)
I know, if somebody hear the name of this process can think, that at the key generation "ceremony" we drink a lot of Champagne and there are 10 point girls everywhere, but the reality is another. (unfortunately )
In the secure zone there is nothing what we can put on a video. Should we record the screen? Or the keyboard with the passwords and pins entered?
I think this last is a stupid option.
A key generation "ceremony" is not a hack scene from the Swordfish. :)
Üdvözlettel/Regards,
Varga Viktor
Üzemeltetési és Vevőszolgálati Vezető
IT Service and Customer Service Executive
Netlock Kft.
_______________________________________________________________________
Ezt az e-mailt virus- es SPAM-szuresnek vetettuk ala a filter:mail MessageLabs rendszerrel. Tovabbi informacio: http://www.filtermax.hu
This email has been scanned for viruses and SPAM by the filter:mail MessageLabs System. More information: http://www.filtermax.hu ________________________________________________________________________________________
Eddy Nigg
> 2. It is impossible to have an independent auditor at the key generations every time, when a key is generated for a subCA. For the presence should be financially compensated, and this relationship can move in the direction of dependent.
I agree with that, it's not feasible. Scheduling root keys generation is
already a pain...
> I know, if somebody hear the name of this process can think, that at the key generation "ceremony" we drink a lot of Champagne and there are 10 point girls everywhere, but the reality is another. (unfortunately )
Perhaps we should introduce a new requirement along these lines ;-)
> In the secure zone there is nothing what we can put on a video. Should we record the screen? Or the keyboard with the passwords and pins entered?
Yes, the auditor can screen the scene and process. I do this usually be
commenting what I exactly do and why...
--
Regards
Signer: Eddy Nigg, StartCom Ltd.
XMPP: star...@startcom.org
Blog: http://blog.startcom.org/
Twitter: http://twitter.com/eddy_nigg
Ian G
> My problems with this:
>
> 1. Nobody wants to giva access for the a secure zone for a person who is not affiliated with the company, to show him/her, how the most important keys are generated. these secret is a part of the CAs secret.
>
>
> I know, if somebody hear the name of this process can think, that at the key generation "ceremony" we drink a lot of Champagne and there are 10 point girls everywhere, but the reality is another. (unfortunately )
4. The auditor opines on whether you have good procedures in place, and
whether your actions match those procedures. He or she doesn't prove
each procedure & event. Instead, he or she uses the "audit risk model"
to determine which things to concentrate on, and does statistical
sampling where things are too big.
So, as a consequence of this, if your procedures for key ceremony are
good, then the auditor's need to check them goes down. If they are bad,
then more likely to check them. Therefore, doing video is actually a
good idea in the sense that, if it helps to improve your logging, and
reduces the auditor costs, do it. (c.f., Eddy's comment.)
It however should not be "encouraged" and it certainly shouldn't be
sold, like it is in this document ... for the next reason:
5. It is a failure of auditor independence. The same thing was seen
in EV Guidelines, and I'm somewhat bemused as to what the auditors were
thinking. I'm guessing the auditors weren't really consulted on this
section...
Logic. Audit is subject to some variant of the heisenberg paradox.
Which is to say that the auditor's presence changes the result. In this
case, the reason that the CA wants the auditor there is so that the
procedure can be said to others as being good. This has the unfortunate
effect of actually lowering the quality of the procedure, because there
is an appeal-to-authority implicit in it. "The auditor was there, he
was happy, stop yur whinging..." Which directs attention from the
procedures and logging to the pomp & circumstance of the ceremony. It's
far cheaper to buy a day's presence than a good procedure.
iang, who has direct evidence of quality going down as auditor presence
goes up...
Erwann Abalea
> 1. Nobody wants to giva access for the a secure zone for a person who is not affiliated with the company, to show him/her, how the most important keys are generated. these secret is a part of the CAs secret.
We hire a notary to follow Key Ceremonies we produce. His job is to
follow and assert that what is done is exactly what we described we'll
do (i.e. we're really following the prepared script), that each other
witness (customer and internal employees) also validate and follow the
script, and that each witness and secret-share holder has its identity
checked and recorded.
Keeping everything secret is not a good practice. In fact, being
tranparent with the customer is a much better way of providing trust.
> 2. It is impossible to have an independent auditor at the key generations every time, when a key is generated for a subCA. For the presence should be financially compensated, and this relationship can move in the direction of dependent.
Of course, the presence of this notary is compensated by the price of
a Key Ceremony.
Remember the "you get what you pay for" :)
> 3. Video. :)
> I know, if somebody hear the name of this process can think, that at the key generation "ceremony" we drink a lot of Champagne and there are 10 point girls everywhere, but the reality is another. (unfortunately )
> In the secure zone there is nothing what we can put on a video. Should we record the screen? Or the keyboard with the passwords and pins entered?
And of course, everything done in our Key Ceremonies is recorded on
video, by a professional, with several cameras (one of them directly
above the keyboard). The customer goes home with a copy of the DVD. No
PIN or password is entered on the keyboard. We have a separate PIN-pad
for this, where we directly plug the hardware tokens to enable our
HSMs. Of course, no camera looks directly onto this PINpad. But the
witnesses (notary, customer, internal) can see how this PINpad is used
(PIN entry is hidden by hand, like you'd do on an ATM).
--
Erwann.
Jean-Marc Desperrier
>> 3. Video.:)
>>> I know, if somebody hear the name of this process can think,
>>> that at the key generation "ceremony" we drink a lot of Champagne and there
>>> are 10 point girls everywhere, but the reality is another. (unfortunately )
> And of course, everything done in our Key Ceremonies is recorded on
> video, by a professional, with several cameras
You forgot to tell him about the Champagne, Erwann ;-)
It's a shame you don't also have some "Moulin Rouge" girls come by ... ;-)
Erwann Abalea
On 26 avr, 10:51, Jean-Marc Desperrier <jmd...@gmail.com> wrote:
> Erwann Abalea wrote:
> >> 3. Video.:)
> >>> I know, if somebody hear the name of this process can think,
> >>> that at the key generation "ceremony" we drink a lot of Champagne and there
> >>> are 10 point girls everywhere, but the reality is another. (unfortunately )
> >>> [...]
> > And of course, everything done in our Key Ceremonies is recorded on
> > video, by a professional, with several cameras
>
> You forgot to tell him about the Champagne, Erwann ;-)
Only for very big customers, or when our margins were high enough.
Business comes first.
> It's a shame you don't also have some "Moulin Rouge" girls come by ... ;-)
It's been proposed, but they didn't want their real identity be
verified by a Notary. Too bad, now we have a comfortable key ceremony
room (no, there's no couch, or big chairs, not yet, only a much bigger
room, with space for the attendants to work on) :)
Joke apart, I forgot to tell that these practices were inherited from
the time we worked as a Verisign subsidiary. Even if we no longer work
together, it's still sad to see them placed in the same box as Comodo,
GoDaddy, and other "low-value cert issuers" by end-users.
--
Erwann.