[caops-wg] OCSP & Proxy Certs
Mike Helm
helm at fionn.es.net
Thu Jan 26 15:11:07 CST 2006
Matt Crawford writes:
> >>> Proxy cert characteristics
> >> [...]
> > But that key pair is typically created = generated at B and stays
> > there, or is meant to stay there, and that is what is autochthonous.
>
> But that's true of almost any key pair (it's generated in the smart
> card, HSM, laptop, ... and is meant to stay there), so it isn't an
> interesting statement about proxy key pairs in particular.
Oh no. Smart cards are quite portable. This is a particularly interesting
example, since one of the common deployment scenarios
consists of having the PKI management issue you a card, having installed
the keys on it for you.
Our HSMs at least are portable. Usually something has to be done
for key movability in HSMs for disaster recovery.
Key pairs in browsers and other software crypto stores are
allowed to be copied from one store to another and indeed that is
the typical way they have to be used in Grids. &c.
The private keys in these cases are only meant to be kept private;
appearance in a different locale is not necessarily a bad thing.
More information about the caops-wg
mailing list