[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Private Key replacement
-----BEGIN PGP SIGNED MESSAGE-----
>>>>> "Francesco" == Francesco Zambon <zambon@enidata.it> writes:
Francesco> Possibly SPKI is the right place where one can take
Francesco> some precaution.
Francesco> I found interesting the proposal included in SET (see
Francesco> "Secure Electtronic Transaction Specification - Book 1
Francesco> Business specification '3.3):
Francesco> When one issues the public/private keys he will
Francesco> generate also a "recovery key" (private and public
Francesco> keys).
Francesco> The recovery key can be kept in a safe "place" (a
Francesco> floppy in the strongsafe), since they are not actually
Francesco> in use.
This is easily done in SPKI right now.
I do this with PGP (but not that successfully).
Generate a "personal CA" key. Make sure that all "permissions" (aka
capabilities) that you get are given to your "personal CA" key.
When you generate your "personal CA" key, you also generate your
"daily use key" and you sign it, with the personal CA key, delegating
(tag (*)) to it.
Your "personal CA" key goes somewhere safe, your "daily use key" is
protected to your best ability. If/when it gets compromised or lost,
you dig up your "personal CA" key and generate a new daily use key.
] IETF #40. Big Bill lives in Washington. D.C. or Seattle? | SSH IPsec [
] Michael Richardson, Sandelman Software Works, Ottawa, ON |international[
] mcr@sandelman.ottawa.on.ca http://www.sandelman.ottawa.on.ca/ |strong crypto[
] panic("Just another NetBSD/notebook using, kernel hacking, security guy"); [
-----BEGIN PGP SIGNATURE-----
Version: 2.6.3ia
Charset: latin1
Comment: Processed by Mailcrypt 3.4, an Emacs/PGP interface
iQB1AwUBNI28E8mxxiPyUBAxAQFPNQMAm3Qu0RvIvqtBlb7qK7HM+lrPmNRJrpun
TYsrfg7lKBMaWuvDB162eGETgNqcfK1mRm/27Y/G1yYgVcYHUyamA6wnDTj9FEpc
bzIJkN8ySilWPbi/9l+Nr4/itX7vpSf2
=fkCg
-----END PGP SIGNATURE-----
Follow-Ups:
References: