Considerations

Key Management Considerations

[1] The Key Management issue can be complex and the sub sections of this document [2] are here only as an guideline to the deeper issues. In selecting the best approach for your environment, the Digi-CAST™ [3] Team can advise you and their advice will always be to keep things as simple as you can.

For Disposable Digi-IDs™, the Digi-CA™ [4] will require Key Management enabled in advance because after five years, with only 100,000 end users, there will actually be 500,000 Key-Pairs in circulation. If you decide that you must use Disposable Digi-IDs™ then you should consider the following questions, for example:

Given that your environment will experience at least one PC upgrade every three to five years, will you choose to move 3, 5, or more of the Key-Pairs from the old PC to the new one (and how will you do it)?
More importantly, how will you have managed the backup and storage of all these Keys over the years?
Also, does the Certificate Policy permit Private Key backup and multiple Key-Pair storage?
When an employee leaves the organization and has several encrypted emails from three years back, how will they be decrypted?
And will you have a copy of that particular Private Key from three years ago?

The solution to these problems is to have Key Management and Key Escrow services enabled in the Digi-CA™ during configuration and installation.

In the case of Renewable Digi-IDs™, you don’t really need Key Management and in many Trust Centre [5] environments, Key Eskrow services are not permitted by law. Also, as the end user has only one Digi-ID™ or Key-Pair to take care of, it is a much easier task to provide assistance and enable them to ‘self recover’ from their own Backup.

Key Management & Key Eskrow Recommendations<?li>