[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Microsoft's CryptoAPI - thoughts?



-----BEGIN PGP SIGNED MESSAGE-----

James Donald writes:
> I was concerned about a different issue:
> 
> Suppose you have some signed information:  You wish to send some encrypted
> information to the person who wrote that signed information.
> 
> If the signing key and the encrypting key are the same, your software can
> locally ensure that you encrypt with the right key, (The correct key is the
> same public key that you used to check the signature on the message.)
> 
> If the signing key and the encrypting key are different, then in order to
> ensure that you are not spoofed into using the wrong public key, the
> whole protocol must work correctly, exposing many more points of attack, 
> since key management is the most complex and most vulnerable area.

OK, I think I understand the concern. I was assuming a model where the 
signing and encrypting keys are bound together in a certificate in some 
fashion. Presumably the encrypting key is signed by the signing key. The
certificates are distributed & managed according to some protocols and 
policies that are orthogonal to the number of keys in a single certificate.

Things get slightly more complicated if you want to update the encrypting and
signing keys independently of each other. But offhand I don't see any new
thorny issues arising.

Disclaimer: I haven't read enough of the MSCAPI to have any idea how it 
proposes to handle the purpose-specific keys. 

Futplex <[email protected]>		GO COWBOYS!

-----BEGIN PGP SIGNATURE-----
Version: 2.6.2

iQEVAwUBMQv1IynaAKQPVHDZAQFawwf7BySS8rC/uugXjOtgBM/GU4VlQfdXSk9p
XjaGP1fJiBeFxwtiJe26MqoPmqSNrvV3Bf/iVawUiB1mU+NQgcX6mf6kf7P05c2c
JMsYzFaT468VDC7/uv2pc8NT0u70bbWW8lrSqmyFGBVvMnYDmHXN7XWywdMuB3mk
BIG+zrcfFRVlrHkIGvz3Xzuaog3SVRCUxujozxw1vciY4EgRN2vvizuecNAa4R0j
//vVNOiEAAPqAb/ZEG29Fc/LR7ecjcIihNA+pB/Dn9e5yyuX1H6yy4HNRn0RGaSx
/lDIsLXYI3KsMWuiYENaR5aNcXzn68aM7IxOCEHjp59kLEAy8KxbJQ==
=o0QD
-----END PGP SIGNATURE-----