[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: A PKI Question: PKCS11-> PKCS12
Pierre Heuze <Pierre.Heuze@xxxxxxxxxxxx> writes:
>But for enryption keys, there is an obvious need. Unfortunately today, there
>is still deficiencies in many commercial product. (Looks like nobody is
>interested in looking at 2 years old encrypted email). To make things worse,
>the history mechanisms and related key generation model (generated on the
>token, injected with archive, injected without archive) are not very well used
>and lack some standardisation.
>From talking to users, key rollover is handled pretty poorly in many products.
I've heard stories of "Shut down everything you've got, swap the keys, then
start everything up again" as being the safest way to handle this, to prevent
stuff in transit from being unusable after the swap. Other alternatives
involve running a backup server with old keys in parallel with the main server
with new keys, and other kludges. For use with crypto tokens, the ability to
handle certs with different validity periods has only been addressed in the
last month or so (via PKCS #15 and PKCS #11), an inability to handle multiple
certs which differ only in validity periods would seem to lead naturally to the
need to take the "Shut 'em down" approach.
Peter.