cryptoIDs
Trevor Perrin
trevp at trevp.net
Thu Oct 16 14:58:06 EDT 2003
At 09:51 AM 10/16/2003 -0500, Von Welch wrote:
>Trevor Perrin writes (02:53 October 16, 2003):
>...
> > Anyways, for private-key management people should use certs - store your
> > root key (i.e. the key that matches the fingerprint) in a safe place (for
> > most people, this would be with their employer or a commercial
> service; but
> > the security-conscious can do whatever they want). Then have your
> root-key
> > issue you short-lived certs for use on your cell-phone, email client, web
> > browser, etc..
>
>In the Grid community these short-lived certs you mention exist and
>are in day-to-day use for the sort of delegation you describe. We call
>them proxy certificates and have standardized them through the IETF
>PKIX working group. See the following url for the latest draft (which
>has passed WG last call).
>
>http://www.ietf.org/internet-drafts/draft-ietf-pkix-proxy-08.txt
>
>A service implementation also exists to hand out Proxy Certificates
>from the long-term credentials as you suggest. It's called MyProxy,
>and you can find more information at http://myproxy.ncsa.uiuc.edu
Hi Von,
yes, I like those, and I discuss them -
http://trevp.net/cryptoID/cryptoID.html#3.2.1
PGP subkeys and SPKI certs can also be used for "key management" in this
fashion. I don't claim this is novel.
I *do* think that if you design a new cert format from scratch, without
sticking within X.509's straitjacket, you can get something
better. CryptoID certs allow threshold subjects (like SPKI), timed and
one-time revalidation (ditto), they have an authorization language suited
to the task at hand (saying which protocols a key can be used with), and
they're a clean, simple XML format.
Of course, they're also not compatible with X.509 software :-(. If you
don't like that trade-off, then I agree that proxy certs are the better choice.
Trevor
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list