Use banks/notaries to store passwords and keys separately.
1.- We encrypt the certificates with something like AES (GnuPG allows to encrypt files with symmetric algorithms), or to an OpenPGP key created for escrow purposes. We store the encrypted certificates (and the private key, if we use OpenPGP) into an USB flashdrive. But we _don't_ put the passphrase (either the passphrase for symmetric encryption or the passphrase that unlocks the secret OpenPGP private key). And we put this flashdrive inside a sealed envelope labeled "Envelope 1A" (plus dates and other details to identify it).
2.- We store the passphase, in plain text, inside another USB flashdrive, and we put it inside another sealed envelope labeled "Envelope 1B" (plus dates and other details to identify it).
All of this is done in the presence of 2 or more people of CAcert. For obvious reasons, the person that enters the passphrase must not keep the first envelope.
3.- Now lets imagine banks offer a service for storing the envelope inside a safe box, which require 2 signatures from authenticated current members of the board. We put envelope 1A in a bank, and envelope 1B in another bank.
- Files and passphrase are not together. Even if a bank employee tries to access the certificates, the employee can't do anything because he lacks the other envelope.
- There is no need to a proper handover, people leaving the board lose the capability to do anything to the envelopes.
- First we need to find 2 banks or notaries that provide that storage service.
- Cost. I don't have any idea about how much would a bank charge for that service.
- Time. How much time do we need to authenticate board members to the bank (specially after a handover)?
- Can we check the backups from time to time, without having more costs?
- Single point of failure. Even bank vaults can be accessed (some years ago, a group of thieves stole the content of a vault, accessing it using an underground tunnel), or where may be disasters (some years ago, I saw a new about a man losing his money, because the vault was invaded by termites, which literally ate the money). This can be mitigated by creating envelopes 2A and 2B (not interchangeable).
Assessment against Requirements
- This is the assessment by the proposal author:
Board control as strong as banks' authentication system
subroot handled separately
root is definitely offline
no critical sysadmin control so board is fully in control
reliable - recent experience (Ernie and AU bank) to sign onto a bank was slow. Reliable once control gained though. Teus also found difficulties in this approach
cost - big question - probably not $0
recovery as quick as bank processes occur. Foreign banks/notary release could be slow
risk of disclosure is very low with banks and hopefully notaries
Board has full control and sole control on root key
single purpose media used
encryption + password with physical separation used in liue of dual encryption
yes - passwords on separate media
dual control regularly enforced by banks
board control is absolute
subroots not addressed
arbitrator recover is assumed
The root certificate private key is stored secure from electronic and physical compromise.
Confidentidality yes - integrity limited by number of copies.
The root certificate private key is stored by the CA and not by any outside party.
Bank storage used. Confidentiality is assured. Integrity and availability are less certain.
The root certificate private key pass-phrase (i.e. password) is not stored electronically or physically.
stored in conformance with SP
The root certificate private key pass-phrase (or parts thereof) is known only to CA personnel
Access by CAcert personnel only. Memory of the person who enters the passphrase could be a risk.
Provision is made to prevent loss of the root certificate through a single-point of failure of electronic equipment (including physical destruction of such equipment).
The bank storage of each item is a single point of failure. Dual USB devices mitigate electronic failure.
Provision is made to prevent loss of use of the root certificate resulting from the loss of one key person.
There are not key persons.
Use of the root certificate private key requires cooperative action by at least two CA personnel.
Banks will ensure control
Community Member Assessment
- You, the community member are encourages to assess this procedures also. Please fill out the table below with a 1-10 rating with 1 being strongly meets criteria and 10 being fails criteria. Comments: (as you wish)
Community Member Assessment by Daniel Black
- I'm not a fan of notaries and banks:
- Teus tried it.
Philipp says they aren't for this purpose
- Ernie took 6+ months to be identified to a foreign bank. No reason the processes for secure deposits would be different.
- High cost
- Limited redundancy
- Low speed of recovery
- I'm not a fan of notaries and banks: