Per-Entity Metadata Working Group

[Nick Roy <>]

I actually like this better than them generating the key signing requests themselves.  This lets us potentially share the same hostname across CDNs and front it with our own DNS strategy.  Not writing to disk isn't a mitigation since key-in-memory is similarly risky, the only real mitigation there being key-in-TPM or something similar.

Nick

On 9/21/16 10:33 AM, David Walker wrote:

I did a (very) little browsing around to see how CDNs might handle TLS for their customers and found https://www.akamai.com/us/en/multimedia/documents/product-brief/akamai-secure-cdn-product-brief.pdf.  They say:

• Customers’ private keys are never touched by human hands or seen by human eyes.
• Customers’ private keys are transmitted securely and never written to CDN disk.
  
• Robust, real-time auditing processes are used to ensure ongoing integrity of keys.
• Dedicated, private key infrastructure located in secure and controlled locations.

I would have preferred something like them using an HSM to generate keys and cert requests that are signed by customer-chosen CAs without giving access to private keys to anyone, but it does indicate that the CDN providers have thought about the issue of managing private keys.  We we actually get to the point of choosing a CDN, we may find that this isn't as big an issue as we fear.

David