Root Key Ceremony

Root Key Ceremony

At the heart of every certificate authority or certification authority (CA) is at least one Root Key(s) or Root Certificate(s) and usually, at least one Intermediate Root Certificate(s). These Digital Certificates are made from a Public and a Private Key. A Root Key Ceremony is a procedure where a unique pair of Public and Private Root Keys is generated. Depending on the Certificate Policy, the generation of the Root Keys may require notarization, legal representation, witnesses and ‘Key Holders’ to be present. 'Best practice' is to follow the WebTrust for Certification Authorities requirements for Root Key Ceremonies that is based on ISO 21188.

Examples

Example A: Strong identification & non-repudiation for email & web access

Unless the information being accessed or transmitted is valued in terms of millions of dollars, it is probably sufficient that the Root Key Ceremony be conducted within the security of the vendor's Laboratory. The customer may opt to have the Root Key stored on a Luna Card or HSM, but in most cases, the safe storage of the Root Key on a CD or hard disk is sufficient. The Root Key is never stored on the CA server.

Example B: Machine Readable Travel Document [MRTD] ID Card or e Passport

This type of environment requires much higher security. When conducting the Root Key Ceremony, the Government or Organization will require rigorous security checks to be conducted on all personnel in attendance. Those that are normally required to attend the Key Ceremony will include a minimum of two Administrators from the organization, two signatories from the organization, one lawyer, a notary and two video camera operators, in addition to the CA software vendor's own technical team.

Overview

The actual Root Key-Pair generation is normally conducted in a secure vault that has no communication or contact with the outside world other than a single telephone line or intercom. Once the vault is secured, all personnel present must prove their identity using at least two legally recognized forms of identification. Every person present, every transaction and every event is logged by the lawyer in a Root Key Ceremony Log Book and each page is notarized by the notary. From the moment the vault door is closed until it is re-opened, everything is also video recorded. The lawyer and the two organization’s signatories must sign the recording and it too is then notarized.

Finally, as part of the above process, the Root Key is broken into as many as twenty-one parts and each individual part is secured in its own safe for which there is a key and a numerical lock. The keys are distributed to as many as twenty-one people and the numerical code is distributed to another twenty-one people.

even Principal Components of a Root Key Ceremony

*1. Key Generation Ceremony
*2. Key Ceremony Definition
*3. Key Ceremony Preparation
*4. Root Key Creation
*5. Root Key Activation
*6. Root Key Maintenance
*7. Root Key Recertification

Important Note

Example A and B are at opposite ends of the security spectrum and no two environments are the same. When considering the Root Key Ceremony, CA vendor Team of professional advisors can assist you in deciding on the most efficient level of security to reflect the level of protection required.

Providers

The CA vendors and organisations that would implement projects of this nature where conducting a Root Key Ceremony would be a central component of their service would be organisations like RSA, VeriSign, Digi-Sign, Entrust and others.

ee also

* SAS 70
* Certificate Authority
* Private Key

External links

*


Wikimedia Foundation. 2010.

Игры ⚽ Нужно решить контрольную?

Look at other dictionaries:

  • Key Ceremony — At the heart of every certificate authority or certification authority (CA) is at least one Root Key(s) or Root Certificate(s) and usually, at least one Intermediate Root Certificate(s). These Digital Certificates are made from a Public and a… …   Wikipedia

  • DNS root zone — A DNS root zone is the top level DNS zone in a Domain Name System (DNS) hierarchy. Most commonly it refers to the root zone of the largest global DNS, deployed for the Internet. Ultimate authority over the DNS root zone rests with the US… …   Wikipedia

  • Samoa 'ava ceremony — The ʻaumaga, ava makers must follow etiquette and cultural protocol in the making and serving of the ava. It is usually an honour to be selected for the ceremony. The ʻaumaga, with prescribed roles in the ceremony, were a select guild in the past …   Wikipedia

  • Below the Root (video game) — Infobox VG title = Below the Root developer = Windham Classics publisher = Windham Classics designer = engine = released = 1984 genre = Adventure modes = Single player ratings = platforms = IBM PC (DOS), Commodore 64, Apple II media =… …   Wikipedia

  • Master key — Master Mas ter (m[.a]s t[ e]r), n. [OE. maistre, maister, OF. maistre, mestre, F. ma[^i]tre, fr. L. magister, orig. a double comparative from the root of magnus great, akin to Gr. me gas. Cf. {Maestro}, {Magister}, {Magistrate}, {Magnitude},… …   The Collaborative International Dictionary of English

  • Certificate authority — In cryptography, a certificate authority, or certification authority, (CA) is an entity that issues digital certificates. The digital certificate certifies the ownership of a public key by the named subject of the certificate. This allows others… …   Wikipedia

  • Afghanistan — /af gan euh stan /, n. a republic in central Asia, NW of India and E of Iran. 23,738,085; 250,000 sq. mi. (647,500 sq. km). Cap.: Kabul. * * * Afghanistan Introduction Afghanistan Background: Afghanistan s recent history is characterized by war… …   Universalium

  • United Kingdom — a kingdom in NW Europe, consisting of Great Britain and Northern Ireland: formerly comprising Great Britain and Ireland 1801 1922. 58,610,182; 94,242 sq. mi. (244,100 sq. km). Cap.: London. Abbr.: U.K. Official name, United Kingdom of Great… …   Universalium

  • KABBALAH — This entry is arranged according to the following outline: introduction general notes terms used for kabbalah the historical development of the kabbalah the early beginnings of mysticism and esotericism apocalyptic esotericism and merkabah… …   Encyclopedia of Judaism

  • Europe, history of — Introduction       history of European peoples and cultures from prehistoric times to the present. Europe is a more ambiguous term than most geographic expressions. Its etymology is doubtful, as is the physical extent of the area it designates.… …   Universalium

Share the article and excerpts

Direct link
Do a right-click on the link above
and select “Copy Link”