Re: Combo DSS/ElGamal keys

[Peter Williams <peter@xxxxxxxxxxxx>]

Douglas Stell-P27604 wrote:

>
>
> Even if both certificates of a subject need to be validated they would
> be
> issued by the CA and the application would not have to validate 2
> chains of
> certificates or CRLs. Seperate certificates then requires validating
> only
> one additional certificate and looking for it in the CA's CRL.

When I used the term STS-KA, I was attempting to give a moniker for
the "store-and-forward key agreement mechanism" used in MSP,
and PGP based on DSS+DH. I was really not trying to imply
STS interactive protocol and its notions for access control to a
connection; I
was  trying to take David Kemps notion that there is an atomic ISO
security
mechanism and algoirhtm conceivable for key agreement which does
(DSS+DH) ,and
this could be given an oid and recognised as such in a store and forward
or
connectionless environment, such as PGP. Such a mechanism could be
similarly used by
S/MIME, while RSA signing or counter-signing say with certs from
a different CA to that managing confidentiality and key escrow, for
example.

"I agree that it would be useful and appropriate to define a
"DH-with-DSS" key exchange algorithm OID with all necessary values
(2 public keys and optional public parameters) included in the
parameter block.  As long as it is clear that the DSS key is not to be
used for any purpose other than authenticating the DH exchange, this,
as Charles points out, would not really count as a multiple-key
certificate.  The logical next step is for someone to write up some
proposed text for PKIX part 1."