RE: key recovery options for PKIX-3 CAs?

[Carlisle Adams <Cadams@xxxxxxxxxxx>]

Peter,

Thanks for this message; now it is clear where your logic fell through.

>once again I am understanding this to mean that if/when the CA offers B.8.2
>mode, it MUST provide service for a user choice of centralised
>generation and certification of ...an encryption key.
>
>If , upon appropriate installation, it does not respond
>to the procedures specified, it is non-conforming, due to incompleteness.

Yes, centralised generation and certification of a key pair must be
supported by CAs (this is an important requirement for some
environments).  Key archival and key recovery services are optional and
need not be supported by PKIX-3-conformant CAs.  

Stephen Kent has argued previously on this list (correctly, of course)
that key generation and key recovery are not identical.  It is certainly
possible for a CA to support the former without the latter.

Finally, note (as always) that just because CAs must support key
generation, there is no requirement that end entities ever have to use
this.  If they happen to trust their CAs to do certification but not key
generation, then, as PKIX-3-conformant end entities, they need never ask
for this.

Thanks for making this distinction clear in everyone's mind.  Are there
any other red herrings you would like to raise?


--------------------------------------------
Carlisle Adams
Entrust Technologies
cadams@entrust.com
--------------------------------------------