> The CA root private key can be kept on a floppy > or CD which is only inserted for signing to help prevent it being compromised.
If you're really paranoid, get a set of java crypto cards and a reader. Last time I checked (10 months ago?) cards were around $100/5, and a reader + Linux development kit was around $50. In theory (read: I haven't actually gotten this to work yet, in part because I've been doing more and more with OpenBSD instead of Linux) you can have the card generate the root CA key and sign the top-level working certs. The cards are then removed and locked in a safe. Unlike a floppy, a smart card can be configured to NEVER reveal the private key. An attacker might be able to extract it by cracking the smart card itself, but there are a lot of companies with compelling interests in ensuring that this never happens. This isn't as sexy as one of those titanium-encased crypto boxes, but it does give you good hardware protection of your root key at a price that's affordable to individuals. Then again, at 200 servers even a $10k crypto box is only $50/server. > > Also the certificate will have to be copied to all > > systems that run our software. You only need to copy the root certificate, but that's easily handled as part of your installation process. Bear ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
