Re: PKI / CA -- Public Key & Private Key
From: Anne & Lynn Wheeler (lynn@garlic.com)Date: 04/10/02
- Next message: blahblah: "Security Report - Cracks in Firewalls"
- Previous message: Graper: "Re: PKI / CA -- Public Key & Private Key"
- In reply to: Ingmar: "PKI / CA -- Public Key & Private Key"
- Next in thread: john.veldhuis@universal.nl: "Re: PKI / CA -- Public Key & Private Key"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: Anne & Lynn Wheeler <lynn@garlic.com> Date: Wed, 10 Apr 2002 02:03:46 GMT
"Ingmar" <w i z a r d _ o z @ g m x . n e t> writes:
> This is what I think is going on:
> *) The public key is contained in the certificate
> *) The private key is only available to the user
> *) The CA does not have any private keys (except for it's own)
business processes can use (the same) PKI (technology) for two
distinctly different business purposes:
1) authentication
2) confidentiality
in general, digital signatures can be created by using a private key
to sign a message hash/mac ... and then use the corresponding public
key to verify the digital signature ... verifying that a message
originated from a particularly entity.
for confidentiality ... the public key can be used for either directly
encrypting a message ... or using a random symmetric key to encrypt
the message and encrypting the symmetric key with the the public
key. then only the entity with the corresponding private key can
decrypt the message. the issue (especially for data at rest) is what
happens if the private key becomes unavailable (say because of some
sort of hardware failure), is all the corresponding encrypted data
lost? Frequently, for business continuity purposes (no single point of
failure, etc) ... private keys related to confidentially encrypted
data may be escrowed and/or archived.
The business requirements for authentication ... is that you really
would like to be assured that something originated only from a very
specific purpose. In this scenario, the private key is strongly
protected and may only exist in a single place.
The business requirements for confidentiality ... may require that
valuable corporate assets (data & information) is not lost because of
any sort of failure (including a single token housing a private key).
Business requirements associated with authentication may preclude a
private key ever existing outside a very specific hardware
token. Business requirements associated with confidentiality and
business continuity may require multiple copies of a private key be
kept.
basically, PKI is technology that can be used to address two different
kinds of business requirements (confidentiality and authentication)
which can result in the rules regarding the treatment of a private key
be different based on the different business requirements.
-- Anne & Lynn Wheeler | lynn@garlic.com, http://www.garlic.com/~lynn/
- Next message: blahblah: "Security Report - Cracks in Firewalls"
- Previous message: Graper: "Re: PKI / CA -- Public Key & Private Key"
- In reply to: Ingmar: "PKI / CA -- Public Key & Private Key"
- Next in thread: john.veldhuis@universal.nl: "Re: PKI / CA -- Public Key & Private Key"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
