[Cryptech Tech] Restricting CA signing

Jakob Schlyter jakob at kirei.se
Fri Jan 30 22:36:46 UTC 2015

Previous message: [Cryptech Tech] Restricting CA signing
Next message: [Cryptech Tech] Restricting CA signing
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On 30 jan 2015, at 23:32, Rob Austein <sra at hactrn.net> wrote:
> 
> 2) Russ pointed out that, if one is going to perform this kind of
>   checking at all, whether it's for DNSSEC, RPKI, or ..., the set of
>   constraints had better be bound up with the key in whatever
>   packaging we use to support key backup, so that the key can't be
>   separated from the constraints and used without them.  Russ seemed
>   to think this is achievable within the general framework of PKCS #12.

I agree, the constraints are properties of the key (but can be changed by the security officer or whatever we call the trusted HSM administrator).

	jakob

Previous message: [Cryptech Tech] Restricting CA signing
Next message: [Cryptech Tech] Restricting CA signing
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

More information about the Tech mailing list