Consider a situation where a legal claim is made against your organization for making a false accusation against an employee. The employee in question was fired for attempting unauthorized access of sensitive information. The case begins and as part of discovery, you are required to hand over all logs and configuration information regarding the PKI system that generated the certificate protecting the organization’s web site that was allegedly accessed. As the case moves forward, the former employee’s attorney claims that her client was the victim of a “man in the middle attack” by someone who had created an unauthorized certificate by gaining access to the private key of the Root CA, making a copy, and then setting up their own issuing CA.
In the prior months, the system logs show that the server acting as the Root CA had been brought online a number of times and there was no reliable audit trail of what had been done. On at least one occasion, the server had been left powered on and connected to the network for over an hour to install security patches.
Does any of this prove that the terminated employee is the victim of a third party’s misconduct? Probably not, but it does call into question the ability of the organization to make claims that their PKI provides non-repudiation. They cannot say that the terminated employee’s claims are impossible.
Now contrast this with every time the server was brought online, a formal audit trail had been generated. Every step taken had been documented, witnessed by a third party, and a written attestation created. Physical isolation of the server prevented it from ever being connected to a network, and all security patches were applied using removable media according to a well-documented and audited process.