[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Private Key replacement
-----BEGIN PGP SIGNED MESSAGE-----
>>>>> "Camillo" == Camillo Sdrs <Camillo.Sars@DataFellows.com> writes:
Camillo> Michael Richardson wrote:
>> When you generate your "personal CA" key, you also generate
>> your "daily use key" and you sign it, with the personal CA key,
>> delegating (tag (*)) to it.
Camillo> Problem: Certs without delegation rights.
Yes, you are right. Certs without delegation rights would have to be
reissued. The other solution is that one doesn't delegate with (tag
(*)), but rather, with the SDSI names:
"personal CA" key has a SDSI name "me"
"daily use" key is the key named by "MCR's me"
So, people delegate some permission to "MCR's me" with the principal
"MCR" being my long term public key.
I think I would use both technics at times.
] IETF #40. Big Bill lives in Washington. D.C. or Seattle? | SSH IPsec [
] Michael Richardson, Sandelman Software Works, Ottawa, ON |international[
] email@example.com http://www.sandelman.ottawa.on.ca/ |strong crypto[
] panic("Just another NetBSD/notebook using, kernel hacking, security guy"); [
-----BEGIN PGP SIGNATURE-----
Comment: Processed by Mailcrypt 3.4, an Emacs/PGP interface
-----END PGP SIGNATURE-----