fulfillment of : ETSI EN 319 411-2 or ETSI TS 101 456 – "7.2.2 Certification authority key backup using secure world daily backup on tape
Can someone explain me how one CA can fulfill normative request:
ETSI EN 319 411-2 or ETSI TS 101 456
"7.2.2 Certification authority key storage, backup and recovery ... c) the CA private signing key shall be backed up, stored and recovered only by personnel in trusted roles using, at least, dual control in a physically secure environment (see clause 7.4.4). The number of personnel authorized to carry out this function shall be kept to a minimum and be consistent with the CA's practices;"
- and have automatic daily backup on tapes of whole "secure world" (including CA private key) in order to achieve fast disaster recovery solution.
I understand that the secure world is created under dual control but daily backups are done automatically.
Also I know that the recovery can be done with dual control only but is it according to ETSI requirement written above?
The most unclear point for me is related to daily backups which mean that CA would have 30 backups of CA private key on tape each month. Is that allowed?
How regular CA can achieve this ETSI request using Thales nChiper with secure world and backup on tapes?
