Hey all, Wondering if anyone has good links for key management documents.
I'm betting that NIST has a SP 800 on it; any others? I'm curious what best practices are, esp. with details on specific systems like GPG and OpenSSL. For example, key length and revocation practices are obvious, but how about this idea: On gpg, signatures expire if the signing key expires. So I create a large (e.g. 4096-bit) RSA signing-only key, and then create a large (4096-bit RSA) subkey for encryption with an expiration time of 1 year. That way, my communication is limited to a year under a key, but my signatures last. What do you think of this idea? It's too bad there isn't a notion of identity seperate from keys. I suppose email address is one, but they shouldn't have used a key (which could expire) as a synonym for an identity. That's like using a phone number or name as the primary key for a customer entry in a database. Writing up a preso on what I do is on my todo list, but I'm sure I don't have all the answers. This is kind of a vague request, and intentionally so, because I really don't know what kind of information is out there. -- It asked me for my race, so I wrote in "human". -- The Beastie Boys My emails do not have attachments; it's a digital signature that your mail program doesn't understand. | http://www.subspacefield.org/~travis/ If you are a spammer, please email [email protected] to get blacklisted.
pgpM8v3mVholq.pgp
Description: PGP signature
_______________________________________________ cryptography mailing list [email protected] http://lists.randombit.net/mailman/listinfo/cryptography
