End-Entity Issuing CA with HSM
From: Benkman (Benkman_at_discussions.microsoft.com)
Date: 10/11/04
- Previous message: Steven L Umbach: "Re: Domain Controller Computer Trusted For Delegation?"
- Next in thread: Brian Komar: "Re: End-Entity Issuing CA with HSM"
- Reply: Brian Komar: "Re: End-Entity Issuing CA with HSM"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Sun, 10 Oct 2004 19:09:02 -0700
Hello,
I'm looking at the use of a nCipher nSheild HSM with an online Enterprise
Subordinate CA that issues end-entity certs.
I was reading Deploying PKI Inside Microsoft and came across the following
policy in regard to operator card setup for the nShield HSM:
"The operator cards for the online issuing CAs remained inserted into the
nShield modules, because they were needed each time a CA’s key was accessed.
This key access is needed each time a certificate or CRL is signed by the CA.
This level of security, in combination with restricted employee access,
helped maintain a high level of assurance around the use of these CAs."
Obviously there is a need to have the keys present in the module for signing
but what are people's thoughts on making the card set persistent, loading the
keys and removing the card from the module?
I guess it's a decision between usability and security as if the above
implementation occurred and the CA lost connection to the module (Reboot or
whatever) the keys would have to be manually loaded.
Has anyone using HSMs for online CA's implemented a different strategy?
Benkman
For example
- Previous message: Steven L Umbach: "Re: Domain Controller Computer Trusted For Delegation?"
- Next in thread: Brian Komar: "Re: End-Entity Issuing CA with HSM"
- Reply: Brian Komar: "Re: End-Entity Issuing CA with HSM"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
