Talk:Key ceremony
This article has not yet been rated on Wikipedia's content assessment scale. It is of interest to the following WikiProjects: | ||||||||||||||
|
References not possible
editThis article has been annotated stating it needs improvement by adding citations to reliable sources and that unverifiable material may be challenged and removed.
This article cites 'Certificate Authority' and 'private key' that are both components that utilise a Key Ceremony to generate the root key that is used in/by a certificate authority and this root key has a private key. I then cite the international standard SAS70 that is the set of rules and guidelines for conducting a key ceremony.
There should be no further requirement on my part to explain/cite references. one of the reasons for writing this article is the destinct lack of resources and sources that are prepared to reveal the 'balck art' that is used when conducting a key ceremony. I think Wikipedia should be delighted that we choose this medium to reveal hwo the whole process works.
So: I'm revealing industry 'secrets' here for the good of the community. Getting references is simply not possible. PReynolds-Wiki (talk) 13:50, 21 January 2008 (UTC)
Unverifiability
editI can find little in the real world (outside of Digi-Cert, the original author's employer, and ICANN, one of Digi-Cert's customers) concerning a so-called "key ceremony" and, frankly, I'm having a bit of trouble believing this is much more than an a publicity grab or an attempt to establish a sense of mystique around a rather mundane process because customers might just pay more for a "key ceremony" than they would for a few techies to generate a digital key pair for them. The simple fact of that matter is that, if verifiability cannot be established, the article must go away. Such is the way of things and the only mechanism that ensures the long-term viability of the encyclopedia.
There are numerous examples of people creating WP articles and then using them as leverage to "get the ball rolling" toward creation of a term, or kickoff of a marketing campaign, or whatever. I find such schemes to be disingenuous, at best.
Anyone have any thoughts? — UncleBubba ( T @ C ) 04:46, 6 April 2011 (UTC)
I have worked for a CA and participated in these ceremonies. The "mystic" names of the roles certainly made it feel more of a D&D game than a serious thing, but not the least surprising if you consider what kind of people came up with these things. I remember reading this article a couple of years ago and it was pretty informative and accurate w.r.t. what I had experienced. The key ceremonies I participated in were never advertised and kept secret.
Most of these terms came from "confidential" (i.e. not kept on the internet, not controlled) information from larger vendors (CA's apparently love buying "solutions in a box"). Key ceremonies are definitely a thing, but are mostly to be found in the corporate world.
Tedlehmann (talk) 01:44, 18 June 2017 (UTC)
I'm working for banking services and we use PKI to sign payments orders. We are currently changing the CA and organize a key ceremony for it. All our banking partner will attend this ceremony and it's very important for the chain of trust as they will received signed payments from us. The ceremony is real.
Yohan Courbe (talk) 09:00, 3 August 2017 (UTC)
IANA key ceremonies for DNSSEC are publically available and can be used as a resource/reference here: https://www.iana.org/dnssec/ceremonies — Preceding unsigned comment added by 192.176.1.91 (talk) 13:58, 16 August 2017 (UTC)
Key ceremonies are a thing. I've acted as security officer at several. They're used in the corporate world where chain of trust and auditability are big deals. No one is going to sign 7-9 figure financial transactions and critical SCADA or national security related hardware and software with an 'openssl genpkey -algorithm RSA -rsa_keygen_bits:4096' output to a PEM file on the harddrive of a networked computer.
The entire idea behind the key ceremony (us cryptographers are a bunch of nerds and James Bond LARPers, thus your impression) is to have an auditable and public (to the people who will be trusting it) initialization of root certificates in a new PKI, which is secured with a HSM appliances that cost high five figures and do nothing but securely generate cryptographic keys (you can export the cert but the machine zeroizes if you try to export the private key without having MofN operators present, and then only in pieces that can reconstruct the actual key with something like Shamir Secret Sharing Scheme) and enforce very strict security policy and separation of duties. This HSM enforced separation of duties is what defines the roles at a key ceremony. St John Chrysostom Δόξατω Θεώ 06:04, 17 May 2020 (UTC)
Probable backwards copyvio
editThe duplicated text at [1] displays a creation date of 14 February 2008 -- whereas the Wikipedia article was created one month earlier on 19 January 2008. The cited website is an apparent reverse copyright violation of Wikipedia. I have removed the copyyright violation template. — CactusWriter (talk) 20:49, 8 September 2011 (UTC)
SAS 70 does not define controls
editSAS 70 defines how audits of an service organization shall be organized etc. There are no IT-specific controls, and consequently no key management controls. Same for the link to the Open Directory Project. The target page lists certificate authorities but does not provide a clue on key ceremonies.
Rewrite
editI'm a professional cryptographer at 'one of those places' that hires cryptographers outside of academia, and PKI/hybrid cryptosystem SME (and former Wikipedian/sysop, 10 years retired) and this article:
1. Needs a rewrite 2. Is tagged inappropriately for improvements:
2.1 SAS70 has to do with audit; I am *entirely unfamiliar* with SAS70 prescribing anything to do with igniting a PKI or assigning roles to PEDs on HSMs or KMSes: the PED roles determine the key ceremony process, SAS70 is for 'grey PED' auditors. A Google search shows one site mentioning a connection, and everything else seems to reference either it (Digi-sign.com) or this article. 2.2 There is not much public information on the key ceremony because it's an open secret among the PKI and applied cryptography communities, and not widely shared with outsiders (security through obscurity, though a key ceremony is essentially impossible to subvert unless you have multiple key persons in positions of trust in the security team at a given company).
3. Is unclear and contains some factually incorrect information about crypto details and the difference between keys, certificates, and their infrastructures.
Etc.
I intend to undertake a full rewrite in the coming weeks and remember enough about Wikipedia standards to post here first. I'm solely on mobile so will not likely be checking this page often. St John Chrysostom Δόξατω Θεώ 05:53, 17 May 2020 (UTC)
Please don't
editPlease don't use this article to inspire your own key signing ceremony - as others have discussed this article needs a rewrite. 2001:8003:E948:7E01:A8A5:E626:CF64:EB13 (talk) 05:25, 4 September 2024 (UTC)