On Mon, 7 Jul 2003, Hack Hawk wrote: > So what they're saying is that your PRIVATE key is stored on a server > somewhere on the Internet?!?! >
No, this (like Kerberos) works best in a federated model. Each organization (or group of organizations that trust a common third party and have mechanisms to authenticate their users to said party) runs a key server. The recipient's address together with the organization-wide public key of the recipient's server (s.P) allow the sender to unilaterally construct a session key that is only recoverable by recipient's private key which is derived from the recipient's server secret and the recipient's identity. The recipient needs to (at least once) authenticate to *his* server and get his private key. The server secret "s" (like a KDC master key in Kerberos) yields *everyone's* private key in the organization in question. Unlike a KDC the database consists only of a single secret! If a user's key is compromised, the user needs to change "identities" (email adddreses). If a server key is compromised, ... This obviates the need for key exchange between individual users, but creates a need for a TTP in each participating organization or consortium. I look at this as a Kerberos alternative with a public/private master key. Creating a session key does not involve any calls to the KDC because the KDC public keys are published. Interactive user principals can avoid storing their keys in persistent storage, by authenticating each time (the mail client starts), disconnected users or server applications store secrets in access controlled storage (analogous to keytabs). In an AD environment the authentication to the new key server can use the "real" Kerberos... Unlike the real Kerberos this does not require (n^2)/2 keys, but it does require (n^2)/2 key exchanges of n keys, otherwise one gets back to Verisign style models for server key signing. Key management does not ever go away! How does one secure the key management? (Bilaterial diplomatic cases chained to wrists work, but are difficult on an Internet scale)... If all server keys are held in write-only tamper-proof hardware, perhaps server key revocation will be rare and key exchanges might be less frequent... As on online protocol, it resembles Kerberos even more, but perhaps works better accross organizational boundaries. Each organization periodically obtains via some secure channel the public keys of their business partners. These are leveraged to create secure channels between users. The channels are not server mediated so unlike a VPN or SMTP+TLS, the crypto is end-to-end with the servers at each site holding a secret that can compromise every user. I doubt Voltage.com will be able to sell everyone on a single server for the whole Internet so the bilateral key management problem does not go away, it just gets factored into clumps... Please correct my impression if I got this completely wrong... -- Viktor. --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]