Skip to Content.
Sympa Menu

per-entity - Re: [Per-Entity] TLS private keys and CDNs

Subject: Per-Entity Metadata Working Group

List archive

Re: [Per-Entity] TLS private keys and CDNs


Chronological Thread 
  • From: David Walker <>
  • To: <>
  • Subject: Re: [Per-Entity] TLS private keys and CDNs
  • Date: Wed, 21 Sep 2016 09:56:56 -0700
  • Authentication-results: spf=none (sender IP is ) ;
  • Ironport-phdr: 9a23:onsysBz/9632rUTXCy+O+j09IxM/srCxBDY+r6Qd0uMWIJqq85mqBkHD//Il1AaPBtqLra8fwLOL+4nbGkU+or+5+EgYd5JNUxJXwe43pCcHRPC/NEvgMfTxZDY7FskRHHVs/nW8LFQHUJ2mPw6aj2O/9wESGwnycE9cbqSwQ9aKzpf/6+fnr4XeeUBFgia8faJaLRO9qgDUsc9QhpFtfPUf0BzM91dBZeVajVxhIVGehV6o6ti5+J1u6QxRve4s7chNTf+8cqglG+8LRA86Onw4sZW4/SLIShGCsz5FCj0b
  • Spamdiagnosticmetadata: NSPM
  • Spamdiagnosticoutput: 1:99

(Probably off-topic, but I don't see why, in concept, multiple CDN nodes couldn't share the same HSMs and host names.  There would probably need to be multiple certs per host name, one per HSM, but they'd all be signed by the same CA.  Using TPMs in the CDN nodes is a good idea, as it reduce overhead, but I think it otherwise has the same security properties of an HSM for this use case.)

Anyway, the point is that we (Ops) should see what the CDN providers have to say before making a final decision about key management.  FYI, I also like the idea someone had last week about using short-lived certs in the CDN that are signed by a well-advertised, long-lived CA.  That would at least limit the duration of our exposure to a compromised key.

David


On 09/21/2016 09:39 AM, Nick Roy wrote:
I actually like this better than them generating the key signing requests themselves.  This lets us potentially share the same hostname across CDNs and front it with our own DNS strategy.  Not writing to disk isn't a mitigation since key-in-memory is similarly risky, the only real mitigation there being key-in-TPM or something similar.

Nick

On 9/21/16 10:33 AM, David Walker wrote:

I did a (very) little browsing around to see how CDNs might handle TLS for their customers and found https://www.akamai.com/us/en/multimedia/documents/product-brief/akamai-secure-cdn-product-brief.pdf.  They say:

  • Customers’ private keys are never touched by human hands or seen by human eyes.
  • Customers’ private keys are transmitted securely and never written to CDN disk.
  • Robust, real-time auditing processes are used to ensure ongoing integrity of keys.
  • Dedicated, private key infrastructure located in secure and controlled locations.

I would have preferred something like them using an HSM to generate keys and cert requests that are signed by customer-chosen CAs without giving access to private keys to anyone, but it does indicate that the CDN providers have thought about the issue of managing private keys.  We we actually get to the point of choosing a CDN, we may find that this isn't as big an issue as we fear.

David




Attachment: signature.asc
Description: OpenPGP digital signature


Archive powered by MHonArc 2.6.19.

Top of Page