[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: threshold subjects

To: spki@c2.net
Subject: Re: threshold subjects
From: Michael Richardson <mcr@sandelman.ottawa.on.ca>
Date: Tue, 18 Nov 1997 11:34:00 -0500
In-Reply-To: Your message of "Tue, 18 Nov 1997 10:08:56 EST." <10743.879865736@opengroup.org>
Sender: owner-spki@c2.net

-----BEGIN PGP SIGNED MESSAGE-----


>>>>> "David" == David Black <d.black@opengroup.org> writes:
    David> The more general problem is that all keys have to be
    David> replaced eventually.  Do threshold subjects provide a route
    David> for replacing *all* keys (one at a time is ok) -- i.e.,

  No. If you replace all keys, then the old certificate is no longer
valid. 
  The threshold let's one reissue the certificate at *any* time
between the time the original certificate is issued and the *last* key
(of k) is replaced. (clearly, if k keys have been compromised, then
you lose.)
  This is still the case for single key CA's (k=n=1), but now there is
no leeway between the first of n keys being compromised, and the k'th
of n being compromised.

]     Where's the sun? Oh there you are. Aren't you late today? | one quark   [
]   Michael Richardson, Sandelman Software Works, Ottawa, ON    | two quark   [
] mcr@sandelman.ottawa.on.ca http://www.sandelman.ottawa.on.ca/ | red q blue q[
] panic("Just another NetBSD/notebook using, kernel hacking, security guy");  [


-----BEGIN PGP SIGNATURE-----
Version: 2.6.3ia
Charset: latin1
Comment: Processed by Mailcrypt 3.4, an Emacs/PGP interface

iQB1AwUBNHHDdMmxxiPyUBAxAQHTEwL/RpdoBOKpSRVmyfgSf2SafGJ/v4PNSska
Vf+gJlzkeT374zgl1kgoDLoKraigvPJVinb9F613AksLynBAfXgSrkdiLcfDoChE
Yzc/m5Ixm7NBoNN2ZldQvILESO8nB7ln
=on6I
-----END PGP SIGNATURE-----

References:

Re: threshold subjects

From: David Black <d.black@opengroup.org>

Prev by Date: Re: threshold subjects
Next by Date: name as identity?
Prev by thread: Re: threshold subjects
Next by thread: Re: threshold subjects
Index(es):
- Main
- Thread