|
|
 |
SPYRUS Policies and Procedures - Audit Procedures for Secure Root Key Generation
SPYRUS offers a template for auditing secure root key generation. The audit procedures lead the participants through the root key generation process in a manner that is secure, trusted and auditable. Following root key generation, the completed audit procedures form part of the formal audit record that is essential for accreditation and certification.
Trust is the foundation of Public Key Infrastructure (PKI). Standards, policies, technological mechanisms and procedures are developing to establish and maintain trust at all levels and all layers of developing PKI systems. The fundamental element of trust must be evident and proven in a PKI system.
There must be complete trust in the PKI's root key. This is the key pair that is generated on start-up of the PKI. The core of trust in a PKI is the root private key. The SPYRUS template for audit procedures sets out the steps through which the root private key may be generated and, once used, stored in a completely trustworthy manner.
Through generation of the root key pair, the root certificate is created. The root certificate is used to sign subordinate authority certificates (see SPYRUS PKI Architecture), and, at the end of the chain of trust, end-entity certificates are signed through a chain leading back to the root certificate. If there is not complete trust in the underlying root key, then there is no trust in the consequent activities of the PKI as a whole, nor in the transactions that the PKI serves to assure.
A PKI requires numerous policies and procedures to maintain the designed level of assurance. These policies and procedures inform the management and operation of the PKI, so that the PKI proves its designed assurance level. Policies and procedures vary depending on the designed assurance level, but nonetheless, for all PKI systems, the highest possible security safeguards must be applied to the generation and storage of the root key.
The SPYRUS template includes forms for auditors to use when witnessing the root key generation process. Using the template saves considerable time and money for SPYRUS customers; customers can easily tailor the template to meet their own requirements, based on their Certificate Policy. There is no need to obtain the consulting services of accredited auditors prior to the generation process, only for the conduct of the root key generation.
In addition to the template for audit procedures, SPYRUS offers a template covering the physical security requirements for root key generation. Because of the strong security safeguards that must be applied for root key generation, physical security of the site must be equally strong. There are a number of safeguards that may not be present on site, but which can either be added to the site, or which can be compensated through the introduction of other measures. SPYRUS has extensive general security expertise, and provides this in the most cost-effective manner through the template. Further on-site consultation is also available. The physical security template includes a checklist of security safeguards and considerations for those planning the PKI installation. With the template and its checklist, customers are assured of a resulting root key that is completely trusted, and a process that is auditable.
|
|
