Currently we have 2 (or more) self-signed service certificates. The ones I am aware of are:

• mail.employees.org
• www.employees.org

As a result of self-signed service certs the user has to import a cert for each service.

I propose we move to a heirarchy of certificates with a root CA cert for employees.org that we sign current and future services with. We will want to keep the root CA keys off-line (or at least off willers). Thus if the machine is compromised (and thus the service private keys exposed) we can just issue new service certs and CRL the old ones. Users will not have to update their trusted root CA stores.

To me, the big issues are:

• is this too late? We've already propogated the certs above to our users and changing will mean disruption to the users
• how will we keep the root CA private keys secure off the machine and still sign? I think at least 2 people should have them (hit-by-truck-scenario). Alternatively, we could rely on the passphrase encoding of the private key (something that cannot be used on service keys) and sign on willers. However, if openssl is trojaned, it could reveal the passphrase. I think signing is a rare enough event that doing it off willers is not that big of a deal.

Comments?