[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Too many options, was Re: key recovery options for PKIX-3 CAs?
I agree that centralized key generation may not be of sufficient interest to
make its implementation mandatory. And as I have previously stated, I think
that combining centralized key generation with certificate management is a
bad idea for several reasons.
But what would you think about architecting an optional protocol for a
separate key generation request/response, that could be sent to any desired
key generation facility?
>>>> "PALAMBER.US.ORACLE.COM" <PALAMBER@us.oracle.com> 08/26/97
>>What (Internet Relevant) environment requires
>>centralized key generation?
>I've helped build systems that use both centralized and local (to the
>key generation. Centralized key generation is useful for large
>that enroll many users from an existing employee database in a single batch
>operation. Some smart card systems require the loading of a public key
>centralized administration system. These examples are not compelling
>to mandate centralized key generation.
>The working group should limit options in the specification and mandate
>one approach (local key generation). Other interesting enrollment models
>should be left as value added options.
Robert R. Jueneman
Network Services Division
122 East 1700 South
Provo, UT 84604