[Owasp-leaders] PKI resources...

Kevin W. Wall kevin.w.wall at gmail.com
Fri Feb 12 06:22:10 UTC 2016

On Wed, Feb 10, 2016 at 3:04 PM, Jim Manico <jim.manico at owasp.org> wrote:

> Kevin,
> Like most cryptographers, the cryptographic cheat sheet punts on handling
> key management which is why I specifically did not mention it in answer to
> Miltons question. I also think the ASVS standard does little to address HSM
> and key management deep or meaningful way.​

​I kn​ow, I was just giving you grief. :)

Key management is THE single most difficult thing in cryptography IMO.
That's why it's not discussed very much. Not only is it hard to get right,
when it is correct, it often is too operationally tedious and/or expensive
for the return in the eyes of most businesses. (E.g., have you ever read
through the key signing ceremony they used for DNSSEC for TLDs? OMG!)

So generally my recommendation is to start with
NIST Special Publications 800-57 Recommendations for Key Management
and tweet it for your specific business needs. Also, many HSM vendors will
have suggested key management life cycles / ceremonies for you to follow.

That's about I think that OWASP can do. If you really need it done
correctly, then you probably should hire a professional cryptographer as a
​ <https://lists.owasp.org/mailman/listinfo/owasp-leaders>

Blog: http://off-the-wall-security.blogspot.com/    | Twitter: @KevinWWall
NSA: All your crypto bit are belong to us.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20160212/e88ed3c4/attachment.html>

More information about the OWASP-Leaders mailing list