[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Too many options, was Re: key recovery options for PKIX-3 CAs?
Hi, Paul,
I agree that centralized key generation may not be of sufficient interest to
make its implementation mandatory. And as I have previously stated, I think
that combining centralized key generation with certificate management is a
bad idea for several reasons.
But what would you think about architecting an optional protocol for a
separate key generation request/response, that could be sent to any desired
key generation facility?
Bob
>
>
>>>> "PALAMBER.US.ORACLE.COM" <PALAMBER@us.oracle.com> 08/26/97
>05:59PM >>>
>
>
>>What (Internet Relevant) environment requires
>>centralized key generation?
>
>I've helped build systems that use both centralized and local (to the
client)
>key generation. Centralized key generation is useful for large
organizations
>that enroll many users from an existing employee database in a single batch
>operation. Some smart card systems require the loading of a public key
from a
>centralized administration system. These examples are not compelling
reasons
>to mandate centralized key generation.
>
>The working group should limit options in the specification and mandate
only
>one approach (local key generation). Other interesting enrollment models
>should be left as value added options.
>
>Paul
Robert R. Jueneman
Security Architect
Novell, Inc.
Network Services Division
122 East 1700 South
Provo, UT 84604
801/861-7387
bjueneman@novell.com