[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: A PKI Question: PKCS11-> PKCS12

To: "'Peter Gutmann'" <pgut001@xxxxxxxxxxxxxxxxx>, ietf-pkix@xxxxxxx, raghavh@xxxxxxxxxxxxxxx
Subject: RE: A PKI Question: PKCS11-> PKCS12
From: Pierre Heuze <Pierre.Heuze@xxxxxxxxxxxx>
Date: Wed, 28 Nov 2001 17:47:33 -0000
List-archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-id: <ietf-pkix.imc.org>
List-id: <ietf-pkix.imc.org>
List-unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
Sender: owner-ietf-pkix@xxxxxxxxxxxx

Peter,

Another case for moving keys around is to deal with key history. 

If I am using a token today, I might have to use another one tomorrow, yet
moving the encryption keys (either from one token to another or using a
backup key that I was archived somewhere). This is slightly different from a
pure backup (the user might want to do this, not going through some kind of
archive service).

Not sure about the key history for signing keys,non-repudiation keys. (Will
a judge be willing to proove that you have actually signed this document by
re-signing it using your 5 years old keys ? What about if you throw your
smart card in the meantime ?).

But for enryption keys, there is an obvious need. Unfortunately today, there
is still deficiencies in many commercial product. (Looks like nobody is
interested in looking at 2 years old encrypted email). To make things worse,
the history mechanisms and related key generation model (generated on the
token, injected with archive, injected without archive) are not very well
used and lack some standardisation.

You can refer to this in your paper.

Pierre

-----Original Message-----
From: Peter Gutmann [mailto:pgut001@xxxxxxxxxxxxxxxxx]
Sent: 28 November 2001 06:58
To: ietf-pkix@xxxxxxx; raghavh@xxxxxxxxxxxxxxx
Subject: Re: A PKI Question: PKCS11-> PKCS12

"RAGHAVENDRAN H. (SSG) - CTD, Chennai." <raghavh@xxxxxxxxxxxxxxx> writes:

>Myself and my friend had an discussion in which he says that when I put a
>private key/certificate pair into a smart card device (such as GPK 4000),
it
>is impossible to read the information and create a PKCS12 file (disk based)
>out of it.
>
>I find it mighty strange. For example, I might want to swap my
certificate/key
>pair from one smart card to another and I might want to do it via the
PKCS12
>format.

Just out of interest (for a paper I'm working on), why do you want to move
the
private key around?  There seems to be an amazing demand for this, with
reasons
ranging from logical ("We're experimenting with the technology and want to
move
keys around different systems for testing") through to the questionable ("We
want to share the same key across all our servers") through to the bizarre
("We
don't know, we just need to do it").  I'd be interested in hearing any other
reasons people have heard for moving keys around (apart from obvious ones
like
key backup).

Peter.

Prev by Date: Re: A PKI Question: PKCS11-> PKCS12
Next by Date: RE: A PKI Question: PKCS11-> PKCS12
Previous by thread: RE: A PKI Question: PKCS11-> PKCS12
Next by thread: RE: A PKI Question: PKCS11-> PKCS12
Index(es):
- Date
- Thread