Overview

This method gives multiple community members possession of the encrypted form of the root key with other members having the unlocking mechanism.

Principles

Notes:

Key Holder Agreement

I, XXX, as a key holder for CAcert agree that:

Key Guardian Agreement

I, XXX, as a key guardian for CAcert agree that:

Procedures

Escrow Meeting (aka Root Ceremony)

  1. The board decides an escrow meeting is needed.
  2. Nominated board members advise all Key Holders, Key Guardians and potential Coordinators and determine who is available.
  3. The board will select a Key Holder and Coordinator in the same geographic area to conduct the Escrow meeting.
  4. The board will advise the community of the choice of Coordinator.
  5. The board will ask the community to send new Guardian Keys (public keys) and their contact information to the Coordinator.
  6. The board will ask all Key Holders to send a Transport public key to the Coordinator.
  7. If a recovery operation is underway, the board will ask the current Key Guardians to send their Guardian Keys (private keys) to the Coordinator.
  8. The Coordinator prepares media containing new and old Guardian Keys and the Transport Keys.
  9. The Coordinator organises hardware and compatible freely available operating system software to be present at meeting.
  10. The Coordinator arranges a time and place with the Key Holder.
  11. The Coordinator advises the board of the time and place and seeks community witnesses to the event.
  12. The Coordinator and Key Holder meet with witnesses for the escrow meeting.
  13. The Coordinator, Key Holder and witnesses verify that the software at the meeting matched the publicly available version.
  14. The software is booted on the hardware (not networked).
  15. If a recovery operation is underway, the encrypted root key and Guardian Keys are loaded. The root key is decrypted on to non-volatile memory with the first Guardian Key that works. Second decryption is possible to cross-check.
  16. (insert purpose-specific sub-procedure here; see below for details)
  17. The root key is encrypted individually with all the new public Guardian Keys.
  18. The collection of encrypted root and OCSP keys is copied on to a number of blank media, verified given to Key Holders present.
  19. The collection of encrypted root and OCSP keys is zipped up and individually encrypted with all the Transport Keys of Key Holders. This is placed onto media for the Coordinator to distribute.
  20. The Coordinator wipes the media containing the original Guardian Keys.
  21. The Coordinator sanitises the RAM used on the hardware (to mitigate Cold Boot attacks).
  22. The meeting disbands.
  23. The Coordinator gives the Key Holders the newly encrypted root key (transport encrypted as well).
  24. The Key Holders will store their encrypted roots offline, optionally removing transport encryption.
  25. The Key Holders wipe previously held encrypted root keys, if any.
  26. The Key Guardians wipe the old Guardian Keys, if any.
  27. The witnesses, Coordinator and Key Holders report to the board/community on their progress
  28. The Coordinator updates the Key Guardians contact list.

Notes:

New subroot sub-procedure

In the meeting procedure above the specific procedure is:

  1. Subroots are generated.
  2. OCSP keys/certificates are generated for each subroot.
  3. A series of CRLs is generated (omit? - pending policy decision).

  4. Subroot and OCSP private keys are stored in the same manner as the root private key in possession of the Key Holders.
  5. The OCSP keys, CRLs and Subroots are encrypted using a transport key. This transport key has a private key is under dual control of the critical system administrators.
  6. The Coordinator transports the encrypted subroots (and CRLs, if any) to a critical system administrator.
  7. After delivery confirmation the Coordinator deletes their current copy of these files.

New root sub-procedure

In the meeting procedure above the specific procedure is:

  1. The new root key is generated (Roots/CreationCeremony)

  2. The OCSP key/certificate for the subroot is generated
  3. The Procedure for issuing subroots above is carried out

A Key Guardian leaves the community

(This also applies if their key is stolen, destroyed or otherwise lost.)

  1. Each Key Holder is instructed to overwrite the encrypted root key corresponding to the Key Guardian public key.

Key Holder leaves community

On Board direction the Key Holder will:

  1. Ask for the Key Holder's media to be transferred to another nominated Key Holder; or
  2. Ask any Key Holder to transfer their contents to another nominated Key Holder and destroy the media in some recorded way.

Key Holder loses key/media or leaves community without notice

  1. A loss assessment is undertaken by the board and whoever has knowledge of the events.
  2. With the accumulated risks caused by losses reach an unacceptable threshold the board will issue new roots.

Extra Key Holder(s) needed

  1. The board decides who the extra Key Holder(s) will be.
  2. The board instructs an existing Key Holder to encrypt the root key collect with a transport key and transport it to the extra key holder(s).

Media degradation / obsolescence

  1. Board asks key holders to verify media yearly. Failed media is destroyed and the Extra Key Holders Needed procedures is undertaken with the existing Key Holders as the recipients.
  2. If the current stored media is obsolete Key Holders can transfer the encrypted contents on to the current new media type and destroy the old one.

Variants

Double Encryption

Some more info behind the rationale for double encryption requirements came to light on the policy list.

As an alternative where Key Guardians send in two keys - PGP and X.509 for encryption purposes. The root key is then encrypted with the PGP key followed by the X.509 of all other parties. This effectively gains three person control (key holder, key guardian (PGP) and key guardian (X.509)).

Funding

This method of escrow was designed around limited funds and high redundancy for key availability.

Key Storage

The root key is stored at the premises under the control of the key holder. Physical security requirements are reduced due to the strength of encryption applied to the key. The cost of media ($AU 0-20) is borne by the key holder, as is any physical security that they apply.

Key Escrow

The Escrow Meeting (aka Root Ceremony) occurs locally within the area of the coordinator and the key holder. The Coordinator will be under a lot of pressure to conduct this operation quickly and smoothly according to the defined procedure. While it is not expected that they will need to travel more than across a city/district travel costs of $AU 50 could be reasonable.

Expenses involved in gathering hardware required to perform the procedure could be up to $AU 500. It is anticipated that standard commodity hardware could be used to perform there ceremony with non-volatile storage (e.g. disk) removed/disabled.

Given the stress and inconvenience to the coordinators life by imposing a high priority task of key escrow requiring many hours of time I propose a bursary of $AU 140 for the work performed.

Assessment against Requirements

Author Assessment

Community Member Assessment

Community Member Assessment by Daniel Black

Comments:

Community Member Assessment by XXXXX


Roots/EscrowAndRecovery/MultiMemberEscrow (last edited 2011-02-20 17:15:00 by UlrichSchroeter)