Hacker News new | ask | show | jobs
by rustcleaner 482 days ago
This one is right.

Have a shoe-box key, a key which is copied 2*N (redundancy) times and N copies are stored in 2 shoe-boxes. It can be on tape, or optical, or silicon, or paper. This key always stays offline. This is your rootiest of root keys in your products, and almost nothing is signed by it. The next key down which the shoe-box key signs (ideally, the only thing) is for all intents and purposes your acting "root certificate authority" key running hot in whatever highly secure signing enclave you design for any other ordinary root CA setup. Then continue from there.

Your hot and running root CA could get totally pwned, and as long as you had come to Jesus with your shoe-box key and religiously never ever interacted with it or put it online in any way, you can sign a new acting root CA key with it and sign a revocation for the old one. Then put the shoe-box away.
3 comments
account42 479 days ago
Signing a revocation doesn't magically inform all affected devices. In practice this is equivalent to pushing an update that replaces the root key.
link
Sytten 482 days ago
I mean sure but is that possible for OS builds? Generally you will generate a private key, get a cert for it, give it to Apple so they sign it with their key and then you use the private key to sign your build. I have never seen a guide do a two level process and I am nof convinced it is allowed.
link
oncallthrow 482 days ago
> It can be on tape, or optical, or silicon, or paper.

You can pick up a hardware security module for a few thousand bucks. No excuse not to.

link
xandrius 482 days ago
I see a good excuse right there: the few thousand bucks.

I'd rather one the most reliable and cheap hardware security model we know of: paper.

Print a bunch of QR/datamatrix codes with your key. Keep one in a fireproof safe in your house, and another one elsewhere.

Total cost: ~$0.1 (+ the multipurpose safe, if needed)

link
HeatrayEnjoyer 482 days ago
Printers often have hard drives with cached pages
link
okeuro49 482 days ago
That's why you buy a printer, then destroy it with a baseball bat after you print.

It is a bit expensive when it gets to 5-10 printers but still cheaper than the thousands.

link
xandrius 482 days ago
Put the printer in the safe with the paper?
link
alwa 482 days ago
Yubico will sell you one for $650

https://www.yubico.com/store/

link