[Pki-devel] lightweight sub-CAs; updated design

Petr Spacek pspacek at redhat.com
Fri Oct 31 09:14:11 UTC 2014 

On 17.10.2014 19:04, Christina Fu wrote:
> In some situations, process can be taken to generate keys on soft token in a
> secure and isolated location and manually import to individual HSMs.
> What you do not want to do, is to put your CA signing keys anywhere other than
> an isolated backup facility or in the token itself, no matter how many times
> you wrap it.  Ciphers get cracked every few years, and when your CA private
> keys are compromised, the consequences are insurmountable.
> You might ask, why then KRA keeps the wrapped user private keys on the ldap
> server for archival/recovery?  The answer is very simple. Those are user
> keys.  It would be bad if they are compromised, but not as bad or widespread.
> Also, those user private keys are wrapped with individual session keys (every
> key is different), unlike what DNSSEC is doing with one single "master key",
> if I read it correctly (I apologize I did not have time to look into DNSSEC at
> all).

Just to clarify why we did what we did with DNSSEC key distribution: The 
approach with "one master key" for DNSSEC was used because it scales very well 
and DNSSEC keys are relatively short-lived.

"Master key" is right now AES 128 bit and DNSSEC keys are RSA 2048 bit so it 
is easier to attack the RSA keys directly anyway.

In our setup it is very easy to change all keys including replica and master 
keys because all parts can cope with using multiple replica/master keys at the 
same time - old keys can be used only for unwrapping and only the newest key 
is used for wrapping.
(Underlying assumption is that IPA LDAP DB is safe way of communication/public 
key publication. DNSSEC keys are used to sign data read from LDAP so IMHO 
there is no point in attacking crypto if you can simply change data in DB and 
let the server to sing it for you.)

Also, DNSSEC keys do not have the same problem as CA keys: Any DNSSEC zone key 
(except DNS root - which is not case for IPA :-) can be exchanged at almost 
any time. You only need to send your new zone public key to your parent domain 
and wait ~ 3 DNS TTLs (the TTL is configurable).

So, if you are paranoid you can rotate all keys e.g. bi-weekly and you will 
not need to touch clients - ever.

Anyway, I will be very glad if you could review the design more deeply when 
you have time. It would be only better if we have more eyes on it.

Have a nice day!

-- 
Petr^2 Spacek

More information about the Pki-devel mailing list