Arshad Noor wrote:
> Fact. You must have a PKI that has Key Escrow capability configured,
it is so configured--^
> and you must have the appropriate features within the client tool that
> interacts with the PSM. ...
?? Browser and CA are the only 2 that interact with PSM, correct? Does
the browser need any specific configuration or modification? What are
'appropriate features' for the browser that are not standard.
> interacts with the PSM. iPlanet's CMS 4.2 supports both capabilities
> and can generate 2 key pairs with PSM, while escrowing only the
^^^^^^^^^^^ Do you mean here that the CMS 4.2 can 'request'
(rather than 'generate') that the PSM generate the two pairs. Do you know
offhand in which RFC this request is defined?
Does this work with all versions of the PSM?
> encryption key-pair.
>
> Why do this? So that a company does not lose access to all encrypted
> e-mail from an employee's mailbox, should the employee leave the
> company,
> or forget the PIN to the private keys, or lose the external hardware
> token that stores the key-pairs.
>
> Arshad
>
> Victor Probo wrote:
>
>>Conjecture or fact?
>>
>>Arshad Noor wrote:
>>
>>>It would be, if you were generating 2 key-pairs - one for signing and
>>>
>> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
>> How would a user indicate/command to the PSM to do this? Does it come
>>from the CA handshake? I have never seen a popup that asked me for this
>>data? I need to know the reality of the PSMs capabilities
>>
>>
>>>the other for encryption. The PSM would send the encryption key-pair
>>>for escrow.
>>>
>> WHY? how does it know to generate 2 key-pairs? The "keygen"(?) is for
>>a single pair, correct?
>>
>>
>>>Arshad
>>>
>>>Arno Hollosi wrote:
>>>
>>>
>>>>Victor Probo wrote:
>>>>
>>>>
>>>>
>>>>>private/public key pair. In addition, *the private key is encrypted and
>>>>>included* within the Certificate Request Message Format (CRMF) and sent
>>>>>to the CA."
>>>>>
>>>>>
>>>>Sorry, but why on earth would someone send their *private key* to the
>>>>CA? Is this some key-escrow service?
>>>>
>>>>/Arno
>>>>
>>>>
