Cryptography Reference
In-Depth Information
ITU-T X.509 can be used in many ways. Consequently, every nontrivial group
of users who want to work with X.509 certificates has to produce a profile that nails
down the features left undefined in X.509. The difference between a specification
(i.e., ITU-T X.509) and a profile is that a specification does not generally set any
limitations on what combinations can and cannot appear in various certificate types,
whereas a profile sets various limitations, for example, by requiring that signing
and confidentiality keys be different. Many standardization bodies work in the field
of “profiling” ITU-T X.509 for specific application environments.
8
For example,
the Internet Engineering Task Force (IETF) has chartered the PKI X.509 (PKIX)
9
working group (WG) to profile the use of ITU-T X.509 on the Internet. The IETF
PKIX WG is a dynamic and very active WG that has published many documents.
19.6
FINAL REMARKS
In this chapter, we elaborated on key management (i.e., the process of handling
and controlling cryptographic keys and related material during their life cycle in
a cryptographic system). Key management is a very complex process, and it does
not come as a surprise that it is the Achilles' heel of almost every system that
employs cryptography and cryptographic techniques. The key life cycle includes
many important phases, and we had a closer look at key generation, distribution,
storage, and destruction.
If there are keys that are so valuable that there is no single entity that is
trustworthy enough to serve as a key repository, then one may look into secret
splitting schemes or—more importantly—secret sharing systems. In fact, secret
sharing systems are likely to be widely deployed in future systems that employ
cryptography and cryptographic techniques. The same is true for key recovery. If
data encryption techniques are implemented and widely deployed, then mechanisms
and services for key recovery are valuable and in many situations unavoidable.
Following this line of argumentation, the first products that implement and make use
of key recovery features already appeared on the marketplace a few years ago. For
example, the commercial versions of PGP have support key recovery on a voluntary
basis. This trend is likely to continue in the future. Last but not least, we briefly
elaborated on digital certificates and PKIs. This is a very difficult topic, both from a
theoretical and practical point of view. In this topic, we only scratched the surface.
8
To “profile” ITU-T X.509—or any general standard or recommendation—basically means to fix the
details with regard to a specific application environment. The result is a profile that elaborates on
how to use and deploy ITU-T X.509 in the environment.
9
http://www.ietf.org/html.charters/pkix-charter.html
