Establishing Key Recovery Agent Policies

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

Allowing someone other than the original user to recover keys presents a security risk. Although you trust your administrators, there are limits to how much any individual can be trusted with the ability to recover other the key pairs of other users. For example, your key recovery agent might leave the organization, taking a copy of the key. Therefore it is recommended that you monitor key recovery plans carefully.

Consider limiting the time that any one individual serves as the key recovery agent, or consider dividing the responsibility between several individuals and requiring that a smart card be used to perform key recovery tasks.

In addition, employ the following key recovery strategies:

• If you know that a key has been compromised, revoke it immediately.

• Do not recover keys or certificates that are used to secure high-value transactions or are associated with high-value certificates.

• Do not archive or recover private keys that are used for signing. This creates uncertainty in situations in which non-repudiation is the primary concern.

If possible, recover encryption keys only after the original certificates have been revoked. Issue a new key at the time of recovery. Revocation ensures that the user can still decrypt data with the old key but cannot encrypt new data.