[692] in cryptography@c2.net mail archive
Re: Full Strength Stronghold 2.0 Released Worldwide
daemon@ATHENA.MIT.EDU (Adam Shostack)
Mon May 5 22:32:06 1997
From: Adam Shostack <adam@homeport.org>
In-Reply-To: <t53iv0xpzv4.fsf@rover.cygnus.com> from Marc Horowitz at "May 5, 97 01:55:59 pm"
To: marc@cygnus.com (Marc Horowitz)
Date: Mon, 5 May 1997 20:11:41 -0400 (EDT)
Cc: cryptography@c2.net
1. Getting your www server cert revoked is a practical
impossible. You might be able to get it onto a CRL, but theres no
checking. (This is OK--revocation is a hard problem, and not solving
it is acceptable most of the time.)
2. Getting a new server cert from Verisign takes at least 24 hours.
(especially if you lose the cert and are trying to do business.) If
you have a backup, you should be ok.
3. Recovery information for a server cert needs to be as carefully
controlled as the real certificate.
4. Certificate recovery may be better done with a backup copy than
with a 'recovery' technology such as secret sharing. However, having
a way to get your lost certificate back could be awfully useful to a
big company--anyone know how much confidence and money a company like
Amazon would lose in 12 hours of getting a new cert?
Adam
Marc Horowitz wrote:
| >> Oh, but I guess saying that Netscape is responding to customer
| >> requirements by including support for corporate key recovery wouldn't
| >> make such good press release spam.
|
| (I don't want to sound contentious here, but it still does, a little.
| I'm really curious about the answer.)
|
| What exactly are the customer requirements for key recovery in a web
| server? Key recovery (corporate, not GAK, of course) is only useful
| in an environment where encryption is used to protect data storage,
| not when encryption is only used for authentication and communication
| security. If I lose my personal certificate or my server's
| certificate, no data is lost, because nothing persistent uses that
| key; the issuer can revoke the old one, and issue a new one.
--
"It is seldom that liberty of any kind is lost all at once."
-Hume
