[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Private Key replacement



-----BEGIN PGP SIGNED MESSAGE-----


>>>>> "Camillo" == Camillo Sdrs <Camillo.Sars@DataFellows.com> writes:
    Camillo> Michael Richardson wrote:
    >> When you generate your "personal CA" key, you also generate
    >> your "daily use key" and you sign it, with the personal CA key,
    >> delegating (tag (*)) to it.

    Camillo> Problem: Certs without delegation rights.

  Yes, you are right. Certs without delegation rights would have to be
reissued. The other solution is that one doesn't delegate with (tag
(*)), but rather, with the SDSI names:
	"personal CA" key has a SDSI name "me"
	"daily use"   key is the key named by "MCR's me"

  So, people delegate some permission to "MCR's me" with the principal
"MCR" being my long term public key.
  I think I would use both technics at times.

]   IETF #40.  Big Bill lives in Washington. D.C. or Seattle?   |  SSH IPsec  [
]   Michael Richardson, Sandelman Software Works, Ottawa, ON    |international[
] mcr@sandelman.ottawa.on.ca http://www.sandelman.ottawa.on.ca/ |strong crypto[
] panic("Just another NetBSD/notebook using, kernel hacking, security guy");  [


-----BEGIN PGP SIGNATURE-----
Version: 2.6.3ia
Charset: latin1
Comment: Processed by Mailcrypt 3.4, an Emacs/PGP interface

iQB1AwUBNI8KAcmxxiPyUBAxAQFyOgL/W+VxkHb+FDmVHbLS1staM0+7pj+MQsoJ
xS8MXFthZGplIfuEIAJDp1629bEWznNvKPNZyc0aWveL1seGJDKQD74qcQ49iStQ
3XV3pBWSbw5q64v3gFBZa+AuhCrFZc2v
=83sB
-----END PGP SIGNATURE-----

References: