[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: SPKI signing keys only

>I think you're taking a different projection of the problem space from the
>I'm used to.  To me, a key is a signature key or an encryption key, getting
>name from the process with which it is used.
>I agree that you can also list the interpretation that key use leads to 
>(identification, authentication, authorization, ...) to name the key.  My 
>preference is to stick with my old habits but the suggestion is
> - Carl
Carl, although the term "export controls" is not likely to be politically
correct in this forum, I would note that there are very real, practical
differences in the way that export controls are imposed on products, based
on the function that keys are used to provide as opposed to the process of
using them.

For example, keys used for key exchange are viewed more liberally than keys
used for data confidentiality. Keys used for authentication and digital
signatures are likewise. keys used to provide intellectual property
protection, secure financial transactions, and other classes of applications
are also given preferable treatment.

That being said, it is a significant challenge for the application developer
to prove to the satisfaction of the export authorities that the application
only makes use of a certain key for that function only. For example, just
labeling a key with a keyUsage flag of "signature" won't buy you much,
unless you can prove that the application actually enforces that

Nonetheless, there might be significant merit in labeling keys as to their
alleged function, and not just the process that is performed on them.