Observations on Certification Authority Key Compromise

摘要

The most critical requirement for a Certification Authority (CA) is to protect its signing key from compromise. CA keys are typically stored in tamper resistant Hardware Security Modules (HSM). While, in a realistic deployment, the HSM may prevent the full copy of the key to be copied or stolen, it can not totally prevent illegal access to the key (due to compromise or even operator mistakes). This paper defines multiple compromise levels for the CA key and investigates the damages in each level. First, we show that with the most common revocation setting even the lowest compromise level (a single illegal access) may lead to the end of the CA. Then, we show that other revocation settings permit efficient countermeasures to prevent the revocation of the CA in some compromise levels. Finally, we describe some hints about the implementation of these settings in practice.