Key Ceremony
Encyclopedia
At the heart of every certificate authority
or certification authority (CA) is at least one Root Key(s) or Root Certificate(s) and usually, at least one Intermediate Root Certificate(s). These Digital Certificates are made from a Public and a Private Key. A Root Key Ceremony is a procedure where a unique pair of Public and Private Root Keys is generated. Depending on the Certificate Policy, the generation of the Root Keys may require notarization, legal representation, witnesses and ‘Key Holders’ to be present. 'Best practice' is to follow the SAS 70 standard for Root Key Ceremonies.
Unless the information being accessed or transmitted is valued in terms of millions of dollars, it is probably sufficient that the Root Key Ceremony be conducted within the security of the vendor's Laboratory. The customer may opt to have the Root Key stored on a Luna Card or HSM
, but in most cases, the safe storage of the Root Key on a CD or hard disk is sufficient. The Root Key is never stored on the CA server.
Example B: Machine Readable Travel Document [MRTD] ID Card or e Passport
This type of environment requires much higher security. When conducting the Root Key Ceremony, the Government or Organization will require rigorous security checks to be conducted on all personnel in attendance. Those that are normally required to attend the Key Ceremony will include a minimum of two Administrators from the organization, two signatories from the organization, one lawyer, a notary and two video camera operators, in addition to the CA software vendor's own technical team.
Finally, as part of the above process, the Root Key is broken into as many as twenty-one parts and each individual part is secured in its own safe for which there is a key and a numerical lock. The keys are distributed to as many as twenty-one people and the numerical code is distributed to another twenty-one people.
, Digi-Sign and others.
Certificate authority
In cryptography, a certificate authority, or certification authority, is an entity that issues digital certificates. The digital certificate certifies the ownership of a public key by the named subject of the certificate...
or certification authority (CA) is at least one Root Key(s) or Root Certificate(s) and usually, at least one Intermediate Root Certificate(s). These Digital Certificates are made from a Public and a Private Key. A Root Key Ceremony is a procedure where a unique pair of Public and Private Root Keys is generated. Depending on the Certificate Policy, the generation of the Root Keys may require notarization, legal representation, witnesses and ‘Key Holders’ to be present. 'Best practice' is to follow the SAS 70 standard for Root Key Ceremonies.
Examples
Example A: Strong identification & non-repudiation for email & web accessUnless the information being accessed or transmitted is valued in terms of millions of dollars, it is probably sufficient that the Root Key Ceremony be conducted within the security of the vendor's Laboratory. The customer may opt to have the Root Key stored on a Luna Card or HSM
HSM
HSM is a three-letter acronym that may refer to:* Harakat al-Shabaab Mujahedeen, a Somali insurgent group* Hardware security module* Health Systems Management* Hepatosplenomegaly* Hierarchical storage management* Hierarchical state machine...
, but in most cases, the safe storage of the Root Key on a CD or hard disk is sufficient. The Root Key is never stored on the CA server.
Example B: Machine Readable Travel Document [MRTD] ID Card or e Passport
This type of environment requires much higher security. When conducting the Root Key Ceremony, the Government or Organization will require rigorous security checks to be conducted on all personnel in attendance. Those that are normally required to attend the Key Ceremony will include a minimum of two Administrators from the organization, two signatories from the organization, one lawyer, a notary and two video camera operators, in addition to the CA software vendor's own technical team.
Overview
The actual Root Key-Pair generation is normally conducted in a secure vault that has no communication or contact with the outside world other than a single telephone line or intercom. Once the vault is secured, all personnel present must prove their identity using at least two legally recognized forms of identification. Every person present, every transaction and every event is logged by the lawyer in a Root Key Ceremony Log Book and each page is notarized by the notary. From the moment the vault door is closed until it is re-opened, everything is also video recorded. The lawyer and the two organization’s signatories must sign the recording and it too is then notarized.Finally, as part of the above process, the Root Key is broken into as many as twenty-one parts and each individual part is secured in its own safe for which there is a key and a numerical lock. The keys are distributed to as many as twenty-one people and the numerical code is distributed to another twenty-one people.
Seven Principal Components of a Root Key Ceremony
- 1. Key Generation Ceremony
- 2. Key Ceremony Definition
- 3. Key Ceremony Preparation
- 4. Root Key Creation
- 5. Root Key Activation
- 6. Root Key Maintenance
- 7. Root Key Recertification
Important Note
Example A and B are at opposite ends of the security spectrum and no two environments are the same. When considering the Root Key Ceremony, CA vendor Team of professional advisors can assist you in deciding on the most efficient level of security to reflect the level of protection required.Providers
The CA vendors and organisations that would implement projects of this nature where conducting a Root Key Ceremony would be a central component of their service would be organisations like RSA, VeriSignVeriSign
Verisign, Inc. is an American company based in Dulles, Virginia that operates a diverse array of network infrastructure, including two of the Internet's thirteen root nameservers, the authoritative registry for the .com, .net, and .name generic top-level domains and the .cc and .tv country-code...
, Digi-Sign and others.
See also
- SAS 70
- Certificate AuthorityCertificate authorityIn cryptography, a certificate authority, or certification authority, is an entity that issues digital certificates. The digital certificate certifies the ownership of a public key by the named subject of the certificate...
- Private Key