On Mon, Feb 10, 2003, Jason Haar wrote: > All this talk about trying to gateway client certs has got me thinking > about something I saw last week in the PGP-8.0 docs. > > They have this concept of "additional decryption keys". Apparently you > can configure PGP so that even though you are the only one with your > key-pair, when you encrypt a message to someone else, it is co-signed > with this "additional" key. This is for corporate use where the company > always wants to be able to decrypt your email (say, if you leave), but > this additional key only allows decrypt - not encrypt rights - so they > still can't forge (i.e. the authenticity of your cert is not degraded). > > Is this some hack, or would such things be possible within SSL? My main > thought is for being able to decrypt S/MIME mail, without needing the > originators cert (same reason: corporate use) >
Well for S/MIME enveloped data you can add additional certificates whose owner (i.e. the entity with access to the private key) can decrypt. Many S/MIME clients automatically make the message readable by the recpient (its silly otherwise) and the sender (so they can later read it in the "Sent" mailbox) additional certificates could be added to any other entity that should be able to decrypt the mail. Various other techniques exist such as separate encryption and signing keys where the encryption key is backed up. Steve. -- Dr Stephen N. Henson. Core developer of the OpenSSL project: http://www.openssl.org/ Freelance consultant see: http://www.drh-consultancy.demon.co.uk/ Email: [EMAIL PROTECTED], PGP key: via homepage. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
