On Wed, Sep 12, 2001 at 06:06:45AM -0700, Michael Sierchio wrote:
>
> matt wrote:
>
> > Use dd(1). Say the key is 1000B:
> > $ dd if=key.file of=key.file.1 bs=300 count=1
> > $ dd if=key.file of=key.file.2 bs=300 skip=1 count=1
> > $ dd if=key.file of=key.file.3 bs=300 skip=2
> >
>
> This reveals key bits to the holders, however. Using
> a K-of-N threshold scheme, or even a simple XOR, prevents
> the holders from having any knowledge of the key bits.
Why not encrypt the Certificate key, prior to splitting it,
with a public RSA or DSS key that you do not publish? Then any holder
would have to have the associated private key AND all the other parts to
do any damage.
--
Clay
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
