[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Private Key Cloning

To: <ietf-pkix@xxxxxxx>
Subject: Re: Private Key Cloning
From: "Jeff Davis" <jeff.davis@xxxxxxxxxxxx>
Date: Wed, 21 Jun 2000 15:25:29 +0100

Hi,

Being new to this group I would just like to add my 0.00001c ( or
pennies in my case ) worth to this discussion.

The whole idea of having a private key is just that, it is private to a
single entity and not shared across many other "clones" of that entity.

IMHO, and it is very "H" in this case, cloning a private key, of any
nature, is opening yourselves up to all sorts of repudiation claims.  If
you clone once what stops you cloning "n" times without  anyone knowing
( regardless of what procedures you have in place ).  Part of the basis
of "trust" is that a private key only exists in one place under the
strict control of the owner of that key.

I support the views put forward that maybe the TSA root should sign
certificates  for level 1 TSA Agents, of which there could be as many as
required, but all of whom have a different DN ( very closely associated
with the parent TSA ).  The trust of the Time Stamp would then be
through a normal certificate chain and that only being 1 level.  Maybe
the TSA root could then go offline leaving the "work horses" to perform
the stamping.  Re-issuing of new TSA signing keys would then be quite
easy for each Agent, with only 1 out of "n" Agents being offline at any
one time, update the hardware signing module and get back online
a.s.a.p.

I may be well off the mark here, if so, just tell me to shut up and get
back in the cupboard.  However, as I am trying to learn this stuff, a
little help with my waywardness would go a long way.

Jeff

Prev by Date: Re: certification for pki
Next by Date: RE: AW: self-signed TSA [Was Re: Private Key Cloning]
Previous by thread: RE: Private Key Cloning
Next by thread: RE: Private Key Cloning
Index(es):
- Date
- Thread