End-Entity Issuing CA with HSM

From: Benkman (Benkman_at_discussions.microsoft.com)
Date: 10/11/04

  • Next message: Ken Schaefer: "Re: Overcomplicating an OS: NTLM, Kerberos, Win2003/2000 incompatibility."
    Date: Sun, 10 Oct 2004 19:09:02 -0700
    
    

    Hello,

    I'm looking at the use of a nCipher nSheild HSM with an online Enterprise
    Subordinate CA that issues end-entity certs.

    I was reading Deploying PKI Inside Microsoft and came across the following
    policy in regard to operator card setup for the nShield HSM:

    "The operator cards for the online issuing CAs remained inserted into the
    nShield modules, because they were needed each time a CA’s key was accessed.
    This key access is needed each time a certificate or CRL is signed by the CA.
    This level of security, in combination with restricted employee access,
    helped maintain a high level of assurance around the use of these CAs."

    Obviously there is a need to have the keys present in the module for signing
    but what are people's thoughts on making the card set persistent, loading the
    keys and removing the card from the module?

    I guess it's a decision between usability and security as if the above
    implementation occurred and the CA lost connection to the module (Reboot or
    whatever) the keys would have to be manually loaded.

    Has anyone using HSMs for online CA's implemented a different strategy?

    Benkman

    For example


  • Next message: Ken Schaefer: "Re: Overcomplicating an OS: NTLM, Kerberos, Win2003/2000 incompatibility."

    Relevant Pages

    • Re: on-line check in
      ... completed packet, with keys inside, maybe give you directions. ... with the online checkin. ... assignment then we have to get in line for the front desk check-in to ...
      (rec.arts.disney.parks)
    • Re: on-line check in
      ... It appears the only advantage of online checkin is bypassing a line when ... completed packet, with keys inside, maybe give you directions. ... I've had the key making, ticket transfer, room charging ... with the online checkin. ...
      (rec.arts.disney.parks)
    • Re: End-Entity Issuing CA with HSM
      ... > I'm looking at the use of a nCipher nSheild HSM with an online Enterprise ... Leave the last card of the OCS in the reader. ...
      (microsoft.public.windows.server.security)
    • Re: on-line check in
      ... It appears the only advantage of online checkin is bypassing a line when ... completed packet, with keys inside, maybe give you directions. ... I've had the key making, ticket transfer, room charging ...
      (rec.arts.disney.parks)
    • Re: Stupid Anti-Piracy Tricks
      ... > with my laptop that I need to even play the game. ... There is *one* thing it's stops, and that's the ability to play online. ... Those keys you find online invariably are just keys that will get ... past the installer, but won't work on the master server. ...
      (comp.sys.ibm.pc.games.rpg)