[Cryptech Tech] Restricting CA signing

Jakob Schlyter jakob at kirei.se
Fri Jan 30 22:36:46 UTC 2015


On 30 jan 2015, at 23:32, Rob Austein <sra at hactrn.net> wrote:
> 
> 2) Russ pointed out that, if one is going to perform this kind of
>   checking at all, whether it's for DNSSEC, RPKI, or ..., the set of
>   constraints had better be bound up with the key in whatever
>   packaging we use to support key backup, so that the key can't be
>   separated from the constraints and used without them.  Russ seemed
>   to think this is achievable within the general framework of PKCS #12.

I agree, the constraints are properties of the key (but can be changed by the security officer or whatever we call the trusted HSM administrator).

	jakob



More information about the Tech mailing list