Re: Web-PKI Keygen/Certreq Questions

[Jean-Marc Desperrier <jmdesp@xxxxxxx>]

Peter Gutmann wrote:

> "James Jing" <jjing@xxxxxxxxxxxxxxxx> writes:
>  
>
> Yup, that's a problem with systems that enforce access/usage controls on
> crypto keys, it makes it impossible to generate PKCS #10 requests if the
> controls are in place.  For example cryptlib employs strict key usage/access
> controls, so in theory you couldn't create a PKCS #10 request, or create one
> for an encryption-only key.  The workaround was to add a dynamic ACL check
> (that is, not a hardcoded rule in the kernel but a callback where object-type-
> specific code can provide additional information to the kernel) that allowed
> special-case use for PKCS #10:
>  
>
> > Are there any solutions addressing such a problem already?
> >    
There is. Have a look at the way CRMF format key request generation are 
used inside Netscape 7/Mozilla.

The solution implemented enables in several different use case to 
authentify an encryption only key without ever requiring them to sign.
Not many PKI can interface with that the way it's required, but at least 
SUN or AOL's CMS can.
It's efficient and it's 100% standard compliant.
The only one dubious aspect is the use of raw CRMF requests in the 
exchange instead of encapsulating them inside CMP or CMC.

Dump PKCS#10. It wasn't designed to handle this, but CRMF was.
Well some vendor hasn't realized yet, still using only PKCS#10 inside 
it's CMC request in the 2003 version of it's tools.