Skip to Content.
Sympa Menu

per-entity - [Per-Entity] TLS private keys and CDNs

Subject: Per-Entity Metadata Working Group

List archive

[Per-Entity] TLS private keys and CDNs


Chronological Thread 
  • From: David Walker <>
  • To: Per-Entity Metadata Working Group <>
  • Subject: [Per-Entity] TLS private keys and CDNs
  • Date: Wed, 21 Sep 2016 09:33:37 -0700
  • Authentication-results: spf=none (sender IP is ) ;
  • Ironport-phdr: 9a23:scqp6BDYiNsOGB2pPIFEUyQJP3N1i/DPJgcQr6AfoPdwSP7/o8bcNUDSrc9gkEXOFd2Crakb26yL6Ou5BCQp2tWojjMrSNR0TRgLiMEbzUQLIfWuLgnFFsPsdDEwB89YVVVorDmROElRH9viNRWJ+iXhpRZbIBj0NBJ0K+LpAcaSyp3vj6Hh1oPeeTpIhSawJPZbZFXz9F2J95pevYw3EqsrjzbPvnpUaqxzyH9hKVuPll7D4d2z/ZhsuwtKvO85v5pYXL+/cqIkTKBJJDUgOGcw4crt8x7ZQl3cyGEbVzA6mwRJD0D65RX5U4255iflv+5+1TOyPMvqQKoyVCj4qapnVUm72288Kzcl/TSP2YRLh6VBrUfk/UQnzg==
  • Spamdiagnosticmetadata: NSPM
  • Spamdiagnosticoutput: 1:99

I did a (very) little browsing around to see how CDNs might handle TLS for their customers and found https://www.akamai.com/us/en/multimedia/documents/product-brief/akamai-secure-cdn-product-brief.pdf.  They say:

  • Customers’ private keys are never touched by human hands or seen by human eyes.
  • Customers’ private keys are transmitted securely and never written to CDN disk.
  • Robust, real-time auditing processes are used to ensure ongoing integrity of keys.
  • Dedicated, private key infrastructure located in secure and controlled locations.

I would have preferred something like them using an HSM to generate keys and cert requests that are signed by customer-chosen CAs without giving access to private keys to anyone, but it does indicate that the CDN providers have thought about the issue of managing private keys.  We we actually get to the point of choosing a CDN, we may find that this isn't as big an issue as we fear.

David


Attachment: signature.asc
Description: OpenPGP digital signature


Archive powered by MHonArc 2.6.19.

Top of Page