Key Access Component Holders

[1] A CA’s private key is a valuable item because its possessor may activate the CA at any time. To protect against any misuse, Key Access Component Card Sets are created and are required to access the private key.

These Card Sets are formed with a defined number of Key Access Component Cards, that are protected with PIN numbers and store encryption key elements [components] necessary to decrypt the private key and gain access to it in order to bring it into online state inside the cryptographic device. Individuals, that posses the Key Access Component Cards used to protect particular keys are called Key Access Component Holders and the organization that owns the CA must track and record accurate information about Key Access Component Cards and Key Access Component Holders so that a complete list maintained at all times.

• Key Ceremony Script

It is essential, that the Key Ceremony produces an unbroken evidentially path demonstrating that every aspect of the certificate generation process occurred in accordance with methods and procedures that comply with regulatory requirements and relevant standards [2]. A sample Key Ceremony Script is available in Appendix IV but be careful to note that this is a sample only and a unique Script should be written for the specific environment, Certificate Practice Statement [3] and CP.

Sufficient evidentially material must be generated to demonstrate, should such a demonstration be required by law, that proper practices were followed during the ceremony. For this reason, every Key Ceremony is conducted from a written script. To achieve a high degree of confidence, each ceremony step must be witnessed, documented, and certified.

The specific benefits of using scripts to perform the ceremony include:

• An increased likelihood that potential errors are identified during a dry run, rather than during the ceremony.
• The ability to use scripts as reference documents in planning future ceremonies.
• The support that scripts provide that engenders the trust by end users.
• The audit trail that scripts provide.

Important Note: Conduct a practice run any time a new step is introduced and practice this before the actual Key Ceremony. The dry run provides confidence that everything will work on the day of the ceremony. During the practice run, use the naming document and script that have been prepared for the actual Key Ceremony. It is recommended to use test smart cards and hardware that will not be used during the actual Key Ceremony.

• Video Recording

For auditing purposes, Key Ceremonies are recorded by video and sound. The video recording should continuously capture the Operator Cards, Key Access Holders and the ceremony proceedings. Therefore the personnel must be seated to the left or right of the hardware used during the ceremony. All actions and personnel should be visible at all times.

Once completed, the video recording should be stored with the other Archive Collateral in the Archive Folder.