[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Certificate requests for encryption keys

To: "Brian M. Thomas" <bt0008@xxxxxxxxxxxxxxx>
Subject: Re: Certificate requests for encryption keys
From: Stephen Kent <kent@xxxxxxx>
Date: Tue, 8 Jun 1999 15:52:48 -0400
Cc: BJUENEMAN@xxxxxxxxxx, keith@xxxxxxxxxxxx, ietf-pkix@xxxxxxx
In-reply-to: <>
List-archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
Sender: owner-ietf-pkix@xxxxxxx

Brian,

An EE's assertion about binding any key (encryption or signature) to
itself, in the form of a self-signed cert, says little from a security
perspective.  What we are discussing here is whether an EE with an existing
signature key should use it to issue certs for encryption keys.  Yes, one
can do that, but it adds more complexity to key management.  For some apps,
e.g., S/MIME, one wamnts a long term encryption key, for the purposes I
mentioned in my note to Anne.  If there are other Internet applications
that need shorter duration encryption, but not authentication, keys, then
the PKIX WG needs to hear a good description of them, to warrant
appropriate accommodation in our standards.  Note that in places where PFS
is a goal, one can avoid the need for certs entirely for encryption
purposes, e.g., IKE.

Steve

References:
- Re: Certificate requests for encryption keys
  - From: Brian M. Thomas

Prev by Date: Re: Certificate requests for encryption keys
Next by Date: Re: Certificate requests for encryption keys
Previous by thread: Re: Certificate requests for encryption keys
Next by thread: Re: Certificate requests for encryption keys
Index(es):
- Date
- Thread