On 06/08/2011 12:57 PM, Michael Newbery wrote:
On 8/6/11 12:22 PM, "Jay Daley"
wrote: On 8/06/2011, at 10:59 AM, Michael Newbery wrote:
Which leads me to ask, is if possible for no one person to know the key, but rather to have just a portion of a key?
Not if the controls are followed.
In any system, ours as proposed for .nz, or the TCR system for the root, collusion between multiple bad actors can lead to controls being subverted and key material stolen.
And unless I'm missing something, all that takes for .nz is the collusion of two people: one SA and one SO. The root by contrast requires much greater collusion.
The paragraph I have a little trouble with is: "A System Administrator is allowed to physically access the device containing the keys. A Security Officer is allowed to access the keystore holding the keys."
Cast in the passive voice, this doesn't actually tell me who enforces this, nor in what manner.
Let me clarify this a little bit more. A person wanting to access the keystore will require two credentials to do so. One credential to access the signing box, and a different credential to access the keystore. The way it's worded in the policy is only System Administrators hold a credential to access the signing box, and only Security Officers hold a credential to access the keystore. Never one person can fulfill both roles. So it's proposed as a four-eye principle (or split knowledge).
That's what publishing the DPS is intended to achieve. Is the level of detail in there on key management processes sufficient?
Close, in fact maybe this discussion will establish that they are sufficient.
Cheers, -- Sebastian Castro DNS Specialist .nz Registry Services (New Zealand Domain Name Registry Limited) desk: +64 4 495 2337 mobile: +64 21 400535