[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Private Key Cloning (TSA keys)

To: "Michael Zolotarev" <mzolotarev@xxxxxxxxxxxxx>, <thayes@xxxxxxxxxxxx>, "Paul Koning" <pkoning@xxxxxxxxx>
Subject: Re: Private Key Cloning (TSA keys)
From: "Simon McMahon" <simon@xxxxxxxxxxxxxxx>
Date: Wed, 21 Jun 2000 16:08:45 +1000
Cc: "David P. Kemp" <dpkemp@xxxxxxxxxxxxxxxxxxxxxxxx>, <ietf-pkix@xxxxxxx>, <Denis.Pinkas@xxxxxxxx>
References: <>

> ... But the argument has started as a result of the fact
> that some legislations, namely German Digital Signature Law, prohibit key
> cloning. So we've been discussing just one of the possible solutions to
get
> around the restrictions of the law.
>
Is that the SigG / SigV German signature law ?
I thought that was more for personal private keys where authentication data
(e.g. the PIN) is provided for EVERY signature generated by the private key
as well as "no copying the private key". Surely that is not relevant to TSA
servers where no one is there to enter a PIN.

> I'm still not convinced, though, that the interpretation of the law is
> correct. Taking your example with accelerator - would it be regarded as a
> breach of the law? If not, and the accelerator is all right, what makes it
> dramatically different from cloning the key in the environment which can
be
> formally certified as a security-equivalent to the accelerator's?
>
Yes, its a question of whether it is within the law, and within which
relevant law. The german signature law that I have indirectly worked with
was very specific but in my opinion not relevant to private keys used by
unattended servers.

> The law is written for general use, and each particular scenario requires
> specific peruse. I'm wondering if we are trying to scare ourselves away
even
> before the law has a chance to "speak out". Would really like to hear from
> anybody who has legal expertise and can provide an interpretation of the
> German Law for that specific case.
>
That would be good but I'll be surprised if you get any. What good is legal
advice that is not based on actual case law anyway ? There are no TSA's yet
(are there ?) let alone cases regarding them ?

Using a time-stamping key to self sign TSA certificates looks a bit like a
kludge to me to fix a problem that TSA's may not even have. Surely well
defined key usage, particularly single key usage, is a good security goal to
achieve that this approach undermines.

Simon McMahon
ERACOM Pty. Ltd.

Follow-Ups:
- Re: Private Key Cloning (TSA keys)
  - From: Juergen Brauckmann

References:
- RE: Private Key Cloning (TSA keys)
  - From: Michael Zolotarev

Prev by Date: [no subject]
Next by Date: Re: Private Key Cloning (TSA keys)
Previous by thread: RE: Private Key Cloning (TSA keys)
Next by thread: Re: Private Key Cloning (TSA keys)
Index(es):
- Date
- Thread