RE: generation of private keys

[Tony Bartoletti <azb@xxxxxxxx>]

At 10:54 AM 11/24/98 -0500, Carlisle Adams wrote:
>Hi Stefan,
>> In a legal context (esp. the German Signature law) a relying 
>> party might want
>> to know who generated the key pair of another end entity 
>> before deciding to
>> enter a contractual relationship with this entity. One might 
>> place trust
>> in another subject's certificate based on that question so 
>> wouldn't it make
>> sense to specify an optional certificate extension that indicates who
>> performed the process of key generation (eg. EE, CA, RA, other)?

>Interesting question.  My initial reaction is to wonder if a new certificate
>extension is really the right solution for this.  If the CA generates the
>key pair, it can certainly populate such an extension with confidence.
>However, if the CA did not generate the key pair, how will it distinguish
>between EE, RA, and "other" (i.e., how will it know (with certainty) who did
>the actual key pair generation so that it can populate the extension)?
>
>Carlisle.

It seems the most a CA could do is indicate either that it did, or did not
generate the keypair, correct?

___tony___

Tony Bartoletti                                             LL
SPI-NET GURU                                             LL LL
Computer Security Technology Center                   LL LL LL
Lawrence Livermore National Lab                       LL LL LL
PO Box 808, L - 303                                   LL LL LLLLLLLL
Livermore, CA 94551-9900                              LL LLLLLLLL
email: azb@llnl.gov   phone: 510-422-3881             LLLLLLLL