Christiane writes "The SSL Root CA responsible for issuing the German digital health insurance card lost its secret private key during a test enrollment. After their Hardware Security Module (HSM) dutifully deleted its crypto keys during a power outage, it was all 'Oops, why is there no backup?' All issued cards must be replaced: 'Gematik spokesman Daniel Poeschkens poured scorn on the statement that Gematik had insisted on the service provider carrying out a test without backing up the root CA private keys. "We did not decide against a back-up service. The fact of the matter is that the service provider took over the running of the test system, so it also has to warrant its continuous operation. How it fulfills this obligation is its own responsibility."'"
Not even a month ago you chided them because there were too many copies (some of them even offsite, they just didn't know who had them now), now you chew them out for having too few. Make up your effing mind!
This kind of organisation usually has a backup somewhere, they just have to find it. Its usually backed up on a post-it note somewhere. Maybe they should ask all of us to look for it, on the sides of our monitors.
I actually found the administrator password on a post-it note on the back of the server's CRT monitor while cleaning the server room.
"Fucking amazing" I said out loud, and as I pulled it off, on the back was the AmEx credit card number, expiration date, and 3digit pin for our organization to order IT stuff.
Then I noticed on the left underside of the CRT there was another post-it that said Ctrl Shift Alt Num+....so I pressed that and up came a hidden menu of hidden apps running (SysTrayX + a sketchy prog to hide services in TaskManager), 90% of them illegal. Also uTorrent was running, seeding about 50 anime series buried deep within the network and using about half of the T3 connection's throughput.
And to top it all off, I deduced that the server had never had a fresh install of Windows. It used to have NT Server, then they used software to upgrade it to 2000 Server, and software again to upgrade it to Server 2003.......
Day 7:
I get a call from the old IT guy asking me whats wrong with the connection, and I told him I reinstalled Server 2003, deleted his anime cache, changed the WPA-PSK keys from 1111111111 to something way more secure, reported the AmEx card as stolen to get a new one, changed the admin password and set password age limits on all accounts, and replaced the rootkit infected SCSI drives with new ones that would last longer. Also, I told the managers that his 5000$ quote for network-wide unlimited antivirus was utter bullshit and that he only got a cracked key for Norton 2003 and installed it only on the server, and prolly pocketed the money.
Damn dude was like "BUT I DIDNT BACK UP THE ANIME TO DVD YET!!!". Now I love anime as much as the next person, but I think he has other stuff to worry about at this point.
But you know what got me the most mad and prompted all of this? The server was named Odie, and the computers were all garfield characters.
Heh...I'm actually just doing a paid internship at a non-profit after their full-time guy left. It was supposed to end on May 1st, but hey I guess they love what I've done.
Got them a cheap dedicated backup system, updated all the systems and reinstalled an NLite-ed XP on every computer, and moved them from Exchange to Google. Oh, and the lab computers run Ubuntu.
They also loved it when I found the IT guy's secret paypal business account with 3000$ sitting in it that was supposed to be used for something else (battery backup replacement batteries). Putting passwords in a file on the administrator's desktop called "passwords for everything.txt" is sooooo helpful for when you're trying to be sneaky.
Once again, misleading title to a different summary. For fuck's sake, the Germans didn't lose the key. The SSL Root CA lost that. Get the facts right. For a second i was wondering how Germans could that stupid. That is unlike the Germany i know. And exactly as i suspected, the German insurer had been insisting the root CA for backup while the CA thought it was unnecessary. Is it the German company's fault?
After all, we all know Germans are exact and punctual, Poles are thieves, Russians are drunk and Fins are even more so. Oh, and Mexicans are lazy and US people are simple minded. Any stereotype missing?
The summary even states that Gematik insisted on a back-up less operation, and then provides a quote explicitly stating that they did no such thing! Slashdot: doing for editorial accuracy what Fox does for editorial neutrality.
The summary even states that Gematik insisted on a back-up less operation, and then provides a quote explicitly stating that they did no such thing!
Gematik commissioned D-Trust to provide the root CA as a service. D-Trust managing director Matthias Merx stated "Gematik decided to 'do without a back-up'. As a service provider, we have to accept that."
From the article and summary:
"Gematik spokesman Daniel Poeschkens poured scorn on the statement that Gematik had insisted on the service provider carrying out
That double negative sounds awful like "At the time, we didn't know what they were asking":P I guess its just with personal experence. Evey time I hear a manager use double negatives to defend a decision, its because they didn't really know what they were deciding in the first place. Atleast in IT.
The title/summary are not necessarilly incorrect, just ambiguous. English can do that, and if you aren't paying attention your meaning can be taken in a way other than you intended.
In this case, there are a few ways to read "German Health Insurance Card CA":
1.) The Health Insurance Card CA of German origin 2.) The CA for the German Health Insurance Card 3.) The Card CA for German Health Insurance 4.) The Insurance Card CA for German Health
Obviously they aren't saying 3 or 4, those work gramatically but don't
Even so, this line struck me as all too familiar: "The fact of the matter is that the service provider took over the running of the test system, so it also has to warrant its continuous operation. How it fulfills this obligation is its own responsibility."
This is why managers (especially the MBA types) love outsourcing of everything. It is also in part because numbers and KPIs are so much more easy to manage than actual people. But mainly, by outsourcing a function you also get to outsource the responsibility for that particular function. If things go tits up, the worst you'll be blamed for is picking the wrong service provider, or perhaps not monitoring a particular KPI properly. Minor stuff.
I've seen plenty of managers like that, and I have heard a variation of that one line all too often.
by Anonymous Coward
on Tuesday July 14, @10:26AM (#28691591)
Maybe they should check with the NSA or CIA? They've got a backdoor into EVERY system, and may still have the key saved on a laptop lying around somewhere.
What's worst about it is that this is probably presumed to be worse. Had the key be stolen, they'd probably not even report it because business could continue as usual, maybe nobody finds out...
Mod parent up. In the serious crypto world, this is a good thing, provided it doesn't happen too often. Sometimes you're going to lose a key, because, for security reasons, you don't keep extra copies. You have a procedure for issuing new keys when this happens, which you're routinely doing anyway.
The entire concept of PKI revolves around the inheritance of trust from the root CA. It seems pretty clear these guys can not be trusted. I would be worried about the people who have to use them.
That's just silly. They obviously take security seriously enough that they found re-issuing all of their certs preferable to adding a second storage place for the private key, thus doubling the possibility of the system being compromised.
If the key had been compromised, that would be a breach of trust. This is more an example of the fact that as security increases, usability decreases.
No, that is just silly. Of course there should be a backup kept in a physically secure location for events just like this. In a real environment when a root CA loses its private key they not only have to reissue all new keys to everyone, but to all the CAs below them and all the users and CAs they signed (and so on all the way down the chain). This cascades quickly into a huge mess that can easily cost millions upon millions to clean up.
Why do they have to issue new keys? I'd think that as long as their public key is still known, that all the issued signed keys would still be valid. They'd just have to use a new key pair for any new signed documents.
Actually, I can think of a reason, after all. Since this CA no longer has the ability to revoke prior signatures made with that key, then that key can no longer be trusted as a signer. You can check to see if a CA has certified something, but there's no way to check to see if the CA changed their mind, because the CA no longer has a way to say that.
Well, as far as the security of the backup is concerned, isn't splitting the secret [digital-scurf.org] an option? Like having seven different keys to the national crown jewels' safe.:-)
PGP Desktop has this option. You can share a key and split it among people, where x amount of y pieces are needed to recover the original key, where both x and y are user selectable values.
However, if a key is a top root CA key, you would not be using it on a general purpose computer. You would have the key generated in a HSM and stored there, where someone can perhaps use the key to sign and decrypt stuff, but would have to go to a lot of trouble to get past all the hardware tamper evident stuff in the H
There are two fundamental ways to fail as a CA. There must be exactly one party in effective possession of the private key of the root cert. If the number of parties becomes less than or more than one, fail.
Mistakes happen, of course, and certificate infrastructures can be enormously complex. But if you're going to do any kind of risk mitigation, the absolutely most basic place to start would be with these two scenarios.
As an optimist, I'd say that least they didn't fail in the worst possible way.
The pessimist in me thinks I should get a bit more than "not failing in the worst possible way" when I pay somebody a barrel of cash to hash a couple numbers for me.
Matthias Merx, the firm's managing director, told heise online that following a voltage drop, something happened in D-Trust's "Trustcenter" that does occasionally occur. "The HSM independently deleted the data because it suspected an attack."
Translation? "Someone unplugged the backup power supply before setting the proper mode in the card because we didn't fully understand how sensitive the card is for root CA certs"
Merx explained that "Gematik decided to 'do without a back-up'. As a service provider, we have to accept that,"
Translation? "We asked Gematik that it might be a good idea to back it up and they said its fine its just for testing." or "We recommended to Gematik to back up the card before shipping it to us. They shipped it to us and we just shrugged our shoulders." Bonus points if you guessed they asked a low level manager at Gematik who thinks CA is the first two letters of a cat.
Gematik spokesman Daniel Poeschkens poured scorn on the statement that Gematik had insisted on the service provider carrying out a test without backing up the root CA private keys. "We did not decide against a back-up service. The fact of the matter is that the service provider took over the running of the test system, so it also has to warrant its continuous operation. How it fulfils this obligation is its own responsibility."
Traslation? "Gematik is taking NO RESPONSABLITY WHATSOEVER for doing any safty checks before giving our root ca to an outside vendor."
All in all its not a big deal though. It looks like they just lost the issuing CA and not the revoke keys. It looks like they can still authenticate too. Now if this was the MAIN system germany with 80+ million plus medical cards? I think people are going to be shot:P
"the firm's managing director, told heise online that following a voltage drop, something happened in D-Trust's "Trustcenter" that does occasionally occur"
You cannot even say what's worse: A voltage drop even reaching the HSM or the HSM going suicidal and loosing the key. And all of that "occasionally"? Everytime they make popcorn in the microwave? As a german I am quite flabbergasted by this lack of german engineering, in one of the countries largest trust-centers.
For those of you who are wondering what CA is, it stands for Certificate Authority. You see, the Germans have a hard time functioning without a constant stream of praise, so they have this authority in place that prints and sends certificates to people. Every day thousands of Germans get congratualted for crossing the street, for finding their car keys or for eating their 1000th potato of the month. You know you've walked into a German household when you see the wallpaper of framed certificates.
The problem here is that the company deleted the certificate-printing program since they thought someone was trying to hack in and print more certificates for themselves- no one is THAT special so they had to stop him. They forgot to have another program ready to print more certificates, so now Germany is under threat of entering a depression since they no longer get certificates telling them how special they are.
On a serious note: I don't follow this article very well with all the acronyms being spelled out but not explained, and no background knowledge of anything going on here. If someone would care to explain what is going on here to someone that has never heard the term CA, you should get a +5 informative easily.
I will simplify, but basically a CA (Certificate Authority, that much of the parent wasnt a joke) is a server that creates encryption certificates. In this case, SSL certificates. For example, when you goto https://mail.google.com/ [google.com] that SSL certificate was created by the Thawte SGC CA. Thawte is one of many companies that you can pay to create you an SSL cert, so your users can communicate with your server via https.
The CA itself also has an encryption key, which is stored on hardware. In some cases its a PCIe board, others its a removable PCMCIA card, etc. This particular CA used an add-on board which lost power during operation, wiping out its only key. The board seems to have been working as intended, preventing attack (removal of board, which would cause power loss) by wiping itself.
Without that key, the CA can no longer create revocation lists (CRLs, lists of certs a CA has created that have since been revoked or expired) or any new certs. They are dead in the water, also causing every cert they have ever made to become invalid as they can no longer be checked against a recent CRL. They have to start from scratch, recreating every_single_cert.
This was only a test system, but if this happened in reality 80 million Germans would have invalid health cards. At least they discovered the value of a backup during testing.
In talking with people (or company representatives) about their security regarding passwords and keys, I always told them two things.
First, all security experts will tell you that you should not keep copies of that stuff around.
Second, that's not a realistic expectation, stuff happens. The IT guy goes on vacation, has an accident, or dies. (Seen all 3 numerous times.) You fire the Admin for some reason. This building burns down. Etc.
A reasonable thing to do, is keep a password/key log with that critical information that is kept up to date at all times. You have two copies of it. Both are kept secure in good quality safes (not a $200 lockbox).
Both safes are in different physical locations, at least separate buildings, preferably miles apart.
The reason for this is pretty easy. Once again, things happen. I've seen buildings burnt down, flooded, inaccessible due to chemical hazards from a truck wreck, etc. You don't know what will happen, but if you have them stored at separate physical locations, you at least know you will be able to get to one of them if you need to, assuming nobody uses a nuke.
It all falls under that old techie saying, "So, when did your data become important to you? Before or after you lost it...".
"We did not decide against a back-up service. The fact of the matter is that the service provider took over the running of the test system, so it also has to warrant its continuous operation. How it fulfills this obligation is its own responsibility."'
If this were originally in English, it would mean "We knew this would happen and we tried to tell them, but those arrogant SOBs thought they knew it all and didn't want to listen to us. So we shut up, pulled up a chair, got some popcorn, and waited for the fireworks". I'm not sure that translates, though...
Oh c'mon, be fair! (Score:5, Funny)
Not even a month ago you chided them because there were too many copies (some of them even offsite, they just didn't know who had them now), now you chew them out for having too few. Make up your effing mind!
Re:Oh c'mon, be fair! (Score:4, Funny)
This kind of organisation usually has a backup somewhere, they just have to find it. Its usually backed up on a post-it note somewhere. Maybe they should ask all of us to look for it, on the sides of our monitors.
Parent
Re:Oh c'mon, be fair! (Score:5, Funny)
My Day 1:
I actually found the administrator password on a post-it note on the back of the server's CRT monitor while cleaning the server room.
"Fucking amazing" I said out loud, and as I pulled it off, on the back was the AmEx credit card number, expiration date, and 3digit pin for our organization to order IT stuff.
Then I noticed on the left underside of the CRT there was another post-it that said Ctrl Shift Alt Num+....so I pressed that and up came a hidden menu of hidden apps running (SysTrayX + a sketchy prog to hide services in TaskManager), 90% of them illegal. Also uTorrent was running, seeding about 50 anime series buried deep within the network and using about half of the T3 connection's throughput.
And to top it all off, I deduced that the server had never had a fresh install of Windows. It used to have NT Server, then they used software to upgrade it to 2000 Server, and software again to upgrade it to Server 2003. ......
Day 7:
I get a call from the old IT guy asking me whats wrong with the connection, and I told him I reinstalled Server 2003, deleted his anime cache, changed the WPA-PSK keys from 1111111111 to something way more secure, reported the AmEx card as stolen to get a new one, changed the admin password and set password age limits on all accounts, and replaced the rootkit infected SCSI drives with new ones that would last longer. Also, I told the managers that his 5000$ quote for network-wide unlimited antivirus was utter bullshit and that he only got a cracked key for Norton 2003 and installed it only on the server, and prolly pocketed the money.
Damn dude was like "BUT I DIDNT BACK UP THE ANIME TO DVD YET!!!". Now I love anime as much as the next person, but I think he has other stuff to worry about at this point.
But you know what got me the most mad and prompted all of this? The server was named Odie, and the computers were all garfield characters.
CALVIN AND HOBBES FTW!!!!
Parent
Re:Oh c'mon, be fair! (Score:4, Funny)
Oh, and his DAT72 backups had been failing for the last 2 years and he had never checked the logs.
Good thing he left to start his own business! /shudder
Parent
Re: (Score:3, Funny)
Day 8:
You got fired, and the system got "restored" because your "fixes" halted the whole "business".
It was a sad day.
Re:Oh c'mon, be fair! (Score:5, Funny)
Heh...I'm actually just doing a paid internship at a non-profit after their full-time guy left. It was supposed to end on May 1st, but hey I guess they love what I've done.
Got them a cheap dedicated backup system, updated all the systems and reinstalled an NLite-ed XP on every computer, and moved them from Exchange to Google. Oh, and the lab computers run Ubuntu.
They also loved it when I found the IT guy's secret paypal business account with 3000$ sitting in it that was supposed to be used for something else (battery backup replacement batteries). Putting passwords in a file on the administrator's desktop called "passwords for everything.txt" is sooooo helpful for when you're trying to be sneaky.
Seriously, this shit is a soap opera of IT-isms.
Parent
Re: (Score:2)
If everything fails, keep browsing through various pages trading in that stuff, you'll eventually find it...
Re: (Score:3, Insightful)
Its usually backed up on a post-it note somewhere.
For a root CA private key, better be a big post-it note
(or written in really small letters)
Wrong Title, Wrong summary (Score:4, Informative)
Once again, misleading title to a different summary.
For fuck's sake, the Germans didn't lose the key.
The SSL Root CA lost that.
Get the facts right.
For a second i was wondering how Germans could that stupid. That is unlike the Germany i know. And exactly as i suspected, the German insurer had been insisting the root CA for backup while the CA thought it was unnecessary.
Is it the German company's fault?
Re:Wrong Title, Wrong summary (Score:5, Funny)
After all, we all know Germans are exact and punctual, Poles are thieves, Russians are drunk and Fins are even more so. Oh, and Mexicans are lazy and US people are simple minded. Any stereotype missing?
Parent
Re:Wrong Title, Wrong summary (Score:5, Informative)
Any stereotype missing?
yes.
we British are all of the above.
Parent
Re:Wrong Title, Wrong summary (Score:5, Funny)
Not only that, they have really weird tastes, too. In food and bed. Sometimes at the same time.
Parent
Re: (Score:2)
And how exactly do you pull off being exact and punctual while being sloppy and unable to figure out what time it is from being drunk?
Re: (Score:2)
And how exactly do you pull off being exact and punctual while being sloppy and unable to figure out what time it is from being drunk?
Practice... lots and lots of practices. Speaking of which it's time for me to do some practicing.
Re: (Score:2)
I must take issue with your sweeping nationalistic statement. Poles aren't theives - that's Romanians. Poles are honest. Crap at plumbing, but honest.
Re: (Score:2)
.... and US people are simple minded. Any stereotype missing?
Simple minded? I thought we were just fat and lazy.
Re: (Score:3, Insightful)
Well, we DO know that they are awfully good at writing numbers down. Sometimes even up the arm.
Re: (Score:2)
Re: (Score:3, Insightful)
The summary even states that Gematik insisted on a back-up less operation, and then provides a quote explicitly stating that they did no such thing! Slashdot: doing for editorial accuracy what Fox does for editorial neutrality.
Re: (Score:3, Informative)
Gematik commissioned D-Trust to provide the root CA as a service. D-Trust managing director Matthias Merx stated "Gematik decided to 'do without a back-up'. As a service provider, we have to accept that."
From the article and summary:
"Gematik spokesman Daniel Poeschkens poured scorn on the statement that Gematik had insisted on the service provider carrying out
Re:Wrong Title, Wrong summary (Score:4, Interesting)
"We did not decide against a back-up service ..."
That double negative sounds awful like "At the time, we didn't know what they were asking":P I guess its just with personal experence. Evey time I hear a manager use double negatives to defend a decision, its because they didn't really know what they were deciding in the first place. Atleast in IT.
Parent
Re: (Score:3, Informative)
The title/summary are not necessarilly incorrect, just ambiguous. English can do that, and if you aren't paying attention your meaning can be taken in a way other than you intended.
In this case, there are a few ways to read "German Health Insurance Card CA":
1.) The Health Insurance Card CA of German origin
2.) The CA for the German Health Insurance Card
3.) The Card CA for German Health Insurance
4.) The Insurance Card CA for German Health
Obviously they aren't saying 3 or 4, those work gramatically but don't
Re:Wrong Title, Wrong summary (Score:5, Insightful)
This is why managers (especially the MBA types) love outsourcing of everything. It is also in part because numbers and KPIs are so much more easy to manage than actual people. But mainly, by outsourcing a function you also get to outsource the responsibility for that particular function. If things go tits up, the worst you'll be blamed for is picking the wrong service provider, or perhaps not monitoring a particular KPI properly. Minor stuff.
I've seen plenty of managers like that, and I have heard a variation of that one line all too often.
Parent
NSA/CIA (Score:4, Funny)
Maybe they should check with the NSA or CIA? They've got a backdoor into EVERY system, and may still have the key saved on a laptop lying around somewhere.
Re: (Score:2)
Could be worse (Score:5, Insightful)
Re:Could be worse (Score:4, Interesting)
What's worst about it is that this is probably presumed to be worse. Had the key be stolen, they'd probably not even report it because business could continue as usual, maybe nobody finds out...
Parent
Re: (Score:2)
Mod parent up. In the serious crypto world, this is a good thing, provided it doesn't happen too often. Sometimes you're going to lose a key, because, for security reasons, you don't keep extra copies. You have a procedure for issuing new keys when this happens, which you're routinely doing anyway.
This would never happen in Britain (Score:3, Funny)
It would easily be found be searching the nearest pub car park for USB keys, or checking the train that the relevant civil servant travelled home on.
Public Key Infrastructure (Score:2)
Re: (Score:2, Insightful)
That's just silly. They obviously take security seriously enough that they found re-issuing all of their certs preferable to adding a second storage place for the private key, thus doubling the possibility of the system being compromised.
If the key had been compromised, that would be a breach of trust. This is more an example of the fact that as security increases, usability decreases.
Re: (Score:2)
Re: (Score:2)
Why do they have to issue new keys? I'd think that as long as their public key is still known, that all the issued signed keys would still be valid. They'd just have to use a new key pair for any new signed documents.
Re: (Score:3, Insightful)
Actually, I can think of a reason, after all. Since this CA no longer has the ability to revoke prior signatures made with that key, then that key can no longer be trusted as a signer. You can check to see if a CA has certified something, but there's no way to check to see if the CA changed their mind, because the CA no longer has a way to say that.
Re: (Score:2)
Re: (Score:3, Insightful)
PGP Desktop has this option. You can share a key and split it among people, where x amount of y pieces are needed to recover the original key, where both x and y are user selectable values.
However, if a key is a top root CA key, you would not be using it on a general purpose computer. You would have the key generated in a HSM and stored there, where someone can perhaps use the key to sign and decrypt stuff, but would have to go to a lot of trouble to get past all the hardware tamper evident stuff in the H
You can fall off the road on either side (Score:4, Interesting)
Mistakes happen, of course, and certificate infrastructures can be enormously complex. But if you're going to do any kind of risk mitigation, the absolutely most basic place to start would be with these two scenarios.
Re: (Score:3, Informative)
As an optimist, I'd say that least they didn't fail in the worst possible way.
The pessimist in me thinks I should get a bit more than "not failing in the worst possible way" when I pay somebody a barrel of cash to hash a couple numbers for me.
No, that's also the optimist in you.
Cheers. :)
Rootkeylosin! (Score:3, Funny)
Q: How do you learn every German swear word in about 20 seconds?
A: Tell the German admin that you lost the root key.
Re: (Score:3, Insightful)
I'm confused (Score:5, Insightful)
I'm confused, isn't this sort of problem exactly why you carry out system tests?
Sending out new cards to card testers during a systems test is hardly extraordinary.
Re:I'm confused (Score:4, Informative)
Matthias Merx, the firm's managing director, told heise online that following a voltage drop, something happened in D-Trust's "Trustcenter" that does occasionally occur. "The HSM independently deleted the data because it suspected an attack."
Translation? "Someone unplugged the backup power supply before setting the proper mode in the card because we didn't fully understand how sensitive the card is for root CA certs"
Merx explained that "Gematik decided to 'do without a back-up'. As a service provider, we have to accept that,"
Translation? "We asked Gematik that it might be a good idea to back it up and they said its fine its just for testing." or "We recommended to Gematik to back up the card before shipping it to us. They shipped it to us and we just shrugged our shoulders." Bonus points if you guessed they asked a low level manager at Gematik who thinks CA is the first two letters of a cat.
Gematik spokesman Daniel Poeschkens poured scorn on the statement that Gematik had insisted on the service provider carrying out a test without backing up the root CA private keys. "We did not decide against a back-up service. The fact of the matter is that the service provider took over the running of the test system, so it also has to warrant its continuous operation. How it fulfils this obligation is its own responsibility."
Traslation? "Gematik is taking NO RESPONSABLITY WHATSOEVER for doing any safty checks before giving our root ca to an outside vendor."
All in all its not a big deal though. It looks like they just lost the issuing CA and not the revoke keys. It looks like they can still authenticate too. Now if this was the MAIN system germany with 80+ million plus medical cards? I think people are going to be shot:P
Parent
A drop in voltage? (Score:2)
Place blame (Score:5, Funny)
What is "CA"? (Score:5, Funny)
The problem here is that the company deleted the certificate-printing program since they thought someone was trying to hack in and print more certificates for themselves- no one is THAT special so they had to stop him. They forgot to have another program ready to print more certificates, so now Germany is under threat of entering a depression since they no longer get certificates telling them how special they are.
On a serious note: I don't follow this article very well with all the acronyms being spelled out but not explained, and no background knowledge of anything going on here. If someone would care to explain what is going on here to someone that has never heard the term CA, you should get a +5 informative easily.
Re:What is "CA"? (Score:5, Informative)
I will simplify, but basically a CA (Certificate Authority, that much of the parent wasnt a joke) is a server that creates encryption certificates. In this case, SSL certificates. For example, when you goto https://mail.google.com/ [google.com] that SSL certificate was created by the Thawte SGC CA. Thawte is one of many companies that you can pay to create you an SSL cert, so your users can communicate with your server via https.
The CA itself also has an encryption key, which is stored on hardware. In some cases its a PCIe board, others its a removable PCMCIA card, etc. This particular CA used an add-on board which lost power during operation, wiping out its only key. The board seems to have been working as intended, preventing attack (removal of board, which would cause power loss) by wiping itself.
Without that key, the CA can no longer create revocation lists (CRLs, lists of certs a CA has created that have since been revoked or expired) or any new certs. They are dead in the water, also causing every cert they have ever made to become invalid as they can no longer be checked against a recent CRL. They have to start from scratch, recreating every_single_cert.
This was only a test system, but if this happened in reality 80 million Germans would have invalid health cards. At least they discovered the value of a backup during testing.
Parent
My advice in the past (Score:3, Informative)
First, all security experts will tell you that you should not keep copies of that stuff around.
Second, that's not a realistic expectation, stuff happens. The IT guy goes on vacation, has an accident, or dies. (Seen all 3 numerous times.) You fire the Admin for some reason. This building burns down. Etc.
A reasonable thing to do, is keep a password/key log with that critical information that is kept up to date at all times. You have two copies of it. Both are kept secure in good quality safes (not a $200 lockbox).
Both safes are in different physical locations, at least separate buildings, preferably miles apart.
The reason for this is pretty easy. Once again, things happen. I've seen buildings burnt down, flooded, inaccessible due to chemical hazards from a truck wreck, etc. You don't know what will happen, but if you have them stored at separate physical locations, you at least know you will be able to get to one of them if you need to, assuming nobody uses a nuke.
It all falls under that old techie saying, "So, when did your data become important to you? Before or after you lost it...".
Does German work like English? (Score:3, Funny)
Re:An HSM That Requires Continuous Power? (Score:4, Informative)
Don't blame the cards for the stupidity of their administrators.
Parent
Re: (Score:2)
For the record, the CIA triad is "Confidentiality, Integrity, Availability", which is actually more applicable in this case. Just sayin'.