What is inadequate separation (segregation) of duties for PKIs?
Weak controls over the use of signing keys can enable the certification authority (CA) to be misused, even if the keys themselves are not compromised. A malicious actor might issue malicious certificates that allow a device or user to impersonate a legitimate user and conduct a man in the middle attack, or to digitally sign malware that is then propagated, because it appears to come from a trusted source.
Proper security controls need to be established when designing an organization’s public key infrastructure (PKI). This includes separating CA roles and setting policies so that the operation fails if an individual attempts to perform more than one CA role. Setting up policies and procedures to ensure proper separation of duties, including establishing contingencies when a team member leaves, is critical to the security and integrity of the PKI and must be part of the initial design. It is preferable to implement a technology that enables a technical solution to the separation of duties policy. For example, presentation of an “M of N” smart card set can enforce a robust separation of duties policy by simply not allowing an individual to issue certificates without the presence of, for example, a Security Officer.