Roots/EscrowAndRecovery/Notary

Describe Roots/EscrowAndRecovery/Notary here.

The 2008 Notary Escrow Project

The following describes the Project conducted in late 2008, into 2009, to investigate the escrow of the root into the care of a Dutch Notary. Note that this was the project of that time.

An implication of m20080710.2 is that the third party is external to CAcert, therefore not a Member of the Community nor an Association Member. A (European-style) Notary is indicated for escrow of CAcert Root and Sub-Root certificate private Keys in two separate sealed envelopes (Private key and passwords to the key).

Thought is given to escrow the sealed envelopes with two different third parties. Is there to be one single third party, or multiples, with half (encrypted (Sub-)Root Key) and half (password key) split.

Before escrow is effectuated the amount of Sub-Root Keys to be generated. In November 2008 it was speculated that only two Sub-Root Keys (non-assured and assured) was needed, however two extra (spare) Sub-Root Keys were generated. CPS (still WiP) is defining which Sub-Root Key is used for what.

Reasoning for third party escrow:

Board member safe has security issues: safe robustness, access control not to single person.
Board members can 'easily' resign, so CAcert looses control easily.
Board members are elected by CAcert association members each year.
Two board members can block (Sub-)Root Key recovery
Notary has conditions to recover and handover keys only by a well defined Board resolution.
If Board fails Notary can act on General Meeting resolution. Organisation remains in control and does not rely on individuals.
Board member secure storage is more expensive as Notary storage. Based on one recovery per year.

Notes by Teus:

6. password root private key? How? N=3 so no one knows the full password?

Number them on envelope in N envelopes. Store them in the envelope and seal the envelope? Separate envelope with order of envelopes?

Store envelopes at notary in Holland?

(Remember: notaries have Diginotar which is a commercial CA. It is a conflict of interest. However they have rulings about this. But notaries have failed in the past.

One envelope with order of envelopes can be put with board?

Should I bring sealing equipment? Old fashioned seal?

Note by iang: moved SSH key / FS encryption key / root account keys discussion to SecurityManual4.3.7.

Notes on some criteria as raised by Ian to Teus on 8th of May 2009:

C.3.c stored secure: with Board (Root and Sub-Root) and/or CAcert system admins (Sub-Root) store keys securely on home safes or bank safes. Access control to safes is not logged, nor access controlled to single well defined person.
C.3.d not by any outside party: Dutch Notary is outside party (however controlled under governmental supervision, in this case Royal Chambre of Supervision of Notaries and Notary Act), as well signing server, which is located with ISP (currently only Sub-Root Key, however with strong and secure access control).
C.3.e pass-phrase not on non-human physical carrier: pass-word keys are generated and not be able to be remembered by human beings, and so stored on USB-sticks in (separate sealed envelope).

Recovery From the Notary

Notes on Condition for Recovery:

Two signatures of Board members.
- These are manuscript (on paper) signatures?
- The digital signatures will accompany the paperwork for in case the CAcert certificates become acceptable.
Board members will need to be provable to the notary.
- This implies that Public Officer (the one whose name is registered with the Australian, NSW registry).
- Conditions for delivery from Notary has to be described: board order, person allowed to pick up data, and case of failure on board.
- This implies that the notary has to check board membership of persons involved.
- Notary can only check with Registrar and published board member list.
- Notary will check person who is mandated by the Board to put keys in escrow (copy of ID).
- Notary will check identities of Board members via copy of ID, signature and other means (check with local governmental citizen register.
- Dutch notary accepts foreign entities under condition of extract of trade registration.
The board needs to vote and pass a public decision. See Act of Preservation conditions.
Paperwork: act of accepting code envelopes, trade office extract, by-laws for mandate arrangement, need board order, identity check contact person (has ID check with local government), conditions for delivery of sealed envelope with codes, all under Act of Preservation (dutch: Acte van Bewaarstelling).
Notary Recovery Conditions (work-in-progress)

Comments:

The to escrow question is raised seldom to a dutch Notary: the dutch word is Acte van Bewaarstelling (Act of Preservation).
Digital access and digital signature technology is new for Notaries, but they are curious about it.
As escrow is not common practice pricing is fluctuating.
Offers:
- 75 Eur exclusive VAT (19%) for Act of Preservation (act is in dutch), Notariskantoor Zuid, Steijl, Nld.
- 200 Eur incl VAT for Act of Preservation, Natariskantoor Rivaerdael, Venlo, Nld.
- 275 excl. VAT (19%) for Act of Preservation, Notariskantoor Moonen, Venlo, Nld.
timeframe: can be done in a week time, dependent on definition on conditions, and ready papers (extracxt, board decision/bylaws, copy passport of contact.

Procedure for Recovery

See Notary Recovery Conditions. Notary will put the conditions in an Act of Preservation (Acte van Bewaarstelling). The translation to english can be found here.

Relationship to Working Practices

In principle, these processes described are not used except under exceptional circumstances. Normal Sub-Root Key creation is done using the routine internal copies of the root, held by CAcert personnel.