Split private Key
Wed Sep 12 18:20:01 2001
Clayton Haapala wrote:
> Why not encrypt the Certificate key, prior to splitting it
Encrypt the public key? Does not compute.
Encryption is also not the same as splitting -- splitting is one
way to ensure that more than N principals must act in concert to
sign something -- and that signature might be an authorization
to perform some action with security consequences.
Of course "PKI" is not adequate as a trust management system -- it's
concerned with authentication, but leaves authorization as an exercise
for the reader. ;-) The right way to do this is have an authorization
mechanism that requires K-of-N parties to sign a request for action.
apache-ssl has a module that permits the use of KeyNote policies
in access control.