Cryptography Reference
In-Depth Information
and it allows reconstruction of the key shares without one or more of the trusted
entities being present to pool the shares.
KeyUpdating and KeyHistory
Key pairs must be updated at regular intervals, if for no other reason than
to thwart compromise threatened by cryptanalytic attacks. Once the key pair
expires, the CA can reissue a new certificate based on the new key pair, or a
new certificate for the old key pair can be generated. This gives rise to what
is called a
key history
, consisting principally of old private keys. A key history
must be maintained by the PKI for such purposes as later decryptions of old
data. Ideally, a key history is stored with a CA who has an automated process
available to retrieve the data from the key history as it is needed. This is
different from key archiving, which meets the need for storing public keys and
certificates for digital signature purposes.
Typically, to free the end user from responsibility, there is automatic ver-
ification of a certificate each time it is used on the network. Once expiration
approaches, the automated system will request a key update from a suitable
CA or more likely, an RA. Once the new certificate is created by a CA, it is
automatically replaced and requirements on end users are eliminated.
The Future of PKI
The future of PKI is an open topic. It is developing, with new standards
emerging, at a vigorous pace. For further information, the reader is referred to
any of the following:
1.
PKI Forum
at
http://www.pkiforum.org
2. Recall that we have already mentioned the IETF's working group on page
219, see
http://www.ietf.cnri.reston.va.us/html.charters/pkix-charter.html
.
3. The Government of Canada:
http://www.cse-cst.gc.ca/en/services/pki/pki.html
4. NIST has a
Federal PKI Technical Working Group
(PKI-TWG) studying
PKI infrastructures for use by government agencies:
http://csrc.nist.gov/pki/twg/
4.
The Open Group
, an international vendor and technology-neutral consor-
tium, is developing PKI standards:
http://www.opengroup.org/public/tech/security/pki/cki/
to mention only a few.
Search WWH ::
Custom Search