

Ask YC: How are root keys stored in an exceptionally secure manner? - wallflower

"As the Internet’s leading CA, VeriSign has the following responsibilities<p>* Storing VeriSign root keys in an exceptionally secure manner"<p>I've always been curious as to what 'exceptionally secure manner' means. Is this the technological equivalent of how KFC stores its secret recipe?
======
mjgoins
I saw a talk by a woman who worked at a PKI auditing firm. She said they have
a special hardware appliance that stores the keys, which of course costs an
exorbitant amount, and has a redundant copy or three. I don't remember the
details, but google away.

She mentioned that the machine wasn't even on a network, but I don't know why
they would bother going that far.

~~~
olefoo
Because if that little bit of secret gibberish (the private key for the root
cert) were known to the wrong people it incurs liability in the billions of
dollars. And an air gap is cheap and effective protection.

~~~
wallflower
> that little bit of secret gibberish

That makes me wonder if root keys are some of the most valuable information in
the world (in terms of financial value per bit).

------
wmf
<http://en.wikipedia.org/wiki/Hardware_Security_Module>

------
ErrantX
Do you mean physical security considerations? or digital?

~~~
wallflower
Both. I remember something from Snowcrash(?) where they had to simultaneously
infiltrate the virtual security (the ICE) and physical security (the real-time
camoflauge, tear-gas).

