Kyle Hamilton wrote:
On Sun, Mar 16, 2008 at 10:44 PM, David Schwartz <[EMAIL PROTECTED]> wrote:
If you can't trust the system that generates and stores your private key,
you're screwed anyway. So I don't see that this argument has any validity.
The issue is 'who is trusting what?'
David's apparent statement is "the person trusting the time is the
person generating the key."
Michael's apparent idea is "if you're generating it and including it
in the key format, then you're making an assertion which must
trustable by people other than the person generating the key."
My point is that number theory and TAI64n aren't related. Certificate
policy and matters of key reuse probably need to take both into account.
Look, all RSA keypairs are of a given pubkey len are finite in number,
and already exist mathematically. I hereby give them a timestamp of zero.
Oh, did you mean when YOU started using them? What's the point of that?
To prevent reuse? Who cares about that? Perhaps your CA has a policy
about key lifespan for encryption, or for signing purposes? Perhaps
your CA requires that private keys used for signing never leave the
device they are generated on? All quite reasonable, and none of which
argue for a change in either of the common forms of representing
private keys.
- M
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager [EMAIL PROTECTED]
