[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Private Key Cloning

To: FRousseau@xxxxxxxxxxxxxxxxx
Subject: Re: Private Key Cloning
From: Paul Koning <pkoning@xxxxxxxxx>
Date: Mon, 19 Jun 2000 10:48:17 -0400 (EDT)
Cc: brauckmann@xxxxxxxxxxxxxx, ietf-pkix@xxxxxxx
References: <>

>>>>> "FRousseau" == FRousseau  <FRousseau@chrysalis-its.com> writes:

 FRousseau> Juergen, If a private key generated within a hardware
 FRousseau> cryptographic module is securely wrapped within that same
 FRousseau> module, is then exported to another similar hardware
 FRousseau> cryptographic module through an authenticated key exchange
 FRousseau> where it is unwrapped and both of these private keys are
 FRousseau> then used to perform electronic signatures in a load
 FRousseau> balancing situation (e.g. OCSP or TSA server), do you mean
 FRousseau> this would not be legal in Germany?

How would you guarantee that there's no man in the middle?  The only
way would be to have a prior out of band secure setup of
authenticating data, such as a shared secret or public keys used for
this key exchange process.  While the user of such a device can ensure
that this is done right, the manufacturer of the devices cannot.

It doesn't surprise me at all to see devices that don't allow this.
It makes good security sense to omit such a capability.

   paul

References:
- Private Key Cloning
  - From: FRousseau

Prev by Date: Re: Private Key Cloning
Next by Date: Re: I-D ACTION:draft-ietf-pkix-time-stamp-08.txt
Previous by thread: Re: Private Key Cloning
Next by thread: Re: Private Key Cloning
Index(es):
- Date
- Thread