Re: Is this the first ever practically-deployed use of a threshold scheme?

2010-08-11 Thread mhey...@gmail.com
On Sun, Aug 1, 2010 at 7:10 AM, Peter Gutmann pgut...@cs.auckland.ac.nz wrote: ...does anyone know of any significant use [of split keys] by J.Random luser?  I'm interested in this from a usability point of view. Maybe not J.Random but J.Corporate... A few jobs ago back in the late '90s, I

Re: Is this the first ever practically-deployed use of a threshold scheme?

2010-08-04 Thread Tanja Lange
There is more than the UI at stake here, i.e. the basic functionality of the scheme. Say you distribute shares in a 4 out of 7 scheme (ABCDEF) and share A is published on the web. How do you recover from the remaining 3 out of 6 scheme into a 4 out of 6 scheme without having a key

Re: Is this the first ever practically-deployed use of a threshold scheme?

2010-08-04 Thread Thierry Moreau
Tanja Lange wrote: There is more than the UI at stake here, i.e. the basic functionality of the scheme. Say you distribute shares in a 4 out of 7 scheme (ABCDEF) and share A is published on the web. How do you recover from the remaining 3 out of 6 scheme into a 4 out of 6 scheme without having

Re: Is this the first ever practically-deployed use of a threshold scheme?

2010-08-03 Thread Jakob Schlyter
On 2 aug 2010, at 16.51, Jeffrey Schiller wrote: Does the root KSK exist in a form that doesn't require the HSM to re-join, or more to the point if the manufacturer of the HSM fails, is it possible to re-join the key and load it into a different vendor's HSM? With the assistance of the

Re: Is this the first ever practically-deployed use of a threshold scheme?

2010-08-03 Thread Jakob Schlyter
On 2 aug 2010, at 08.30, Peter Gutmann wrote: For the case of DNSSEC, what would happen if the key was lost? There'd be a bit of turmoil as a new key appeared and maybe some egg-on-face at ICANN, but it's not like commercial PKI with certs with 40-year lifetimes hardcoded into every

Re: Is this the first ever practically-deployed use of a threshold scheme?

2010-08-03 Thread Thierry Moreau
Peter Gutmann wrote: That's a good start, but it gets a bit more complicated than that in practice because you've got multiple components, and a basic red light/green light system doesn't really provide enough feedback on what's going on. What you'd need in practice is (at least) some sort of

Re: Is this the first ever practically-deployed use of a threshold scheme?

2010-08-02 Thread D. K. Smetters
Jonathan Katz wrote: On Sat, 31 Jul 2010, Jakob Schlyter wrote: On 31 jul 2010, at 08.44, Peter Gutmann wrote: Apparently the DNS root key is protected by what sounds like a five-of-seven threshold scheme, but the description is a bit unclear. Does anyone know more? The DNS root key is

Re: Is this the first ever practically-deployed use of a threshold scheme?

2010-08-02 Thread Thierry Moreau
Peter Gutmann wrote: Thierry Moreau thierry.mor...@connotech.com writes: With the next key generation for DNS root KSK signature key, ICANN may have an opportunity to improve their procedure. What they do will really depend on what their threat model is. I suspect that in this case their

Re: Is this the first ever practically-deployed use of a threshold scheme?

2010-08-02 Thread Jerry Leichter
On Aug 1, 2010, at 7:10 AM, Peter Gutmann wrote: Thanks to all the folks who pointed out uses of m-of-n threshold schemes, however all of them have been for the protection of one-off, very high-value keys under highly controlled circumstances by trained personnel, does anyone know of any

Re: Is this the first ever practically-deployed use of a threshold scheme?

2010-08-02 Thread Peter Gutmann
Jerry Leichter leich...@lrw.com writes: One could certainly screw up the design of a recovery system, but one would have to try. There really ought not be that much of difference between recovering from m pieces and recovering from one. There's a *huge* difference, see my previous posting

Re: Is this the first ever practically-deployed use of a threshold scheme?

2010-08-02 Thread Jerry Leichter
On Aug 2, 2010, at 2:30 AM, Peter Gutmann wrote: Jerry Leichter leich...@lrw.com writes: One could certainly screw up the design of a recovery system, but one would have to try. There really ought not be that much of difference between recovering from m pieces and recovering from one.

Re: Is this the first ever practically-deployed use of a threshold scheme?

2010-08-02 Thread Peter Trei
On 7/31/2010 2:54 PM, Adam Shostack wrote: On Sat, Jul 31, 2010 at 06:44:12PM +1200, Peter Gutmann wrote: | Apparently the DNS root key is protected by what sounds like a five-of-seven | threshold scheme, but the description is a bit unclear. Does anyone know | more? | | (Oh, and for people who

Re: Is this the first ever practically-deployed use of a threshold scheme?

2010-08-02 Thread Jeffrey Schiller
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 OK. I'm being a bit lazy but... I've read through the ceremony script and all that, but I have a simple question which the script documents didn't really answer: Does the root KSK exist in a form that doesn't require the HSM to re-join, or more to

Re: Is this the first ever practically-deployed use of a threshold scheme?

2010-08-02 Thread Peter Gutmann
Jerry Leichter leich...@lrw.com writes: Here's how I would do it: Key segments are stored on USB sticks. There's a spot on the device with m USB slots, two buttons, and red and green LED's. You put your USB keys into the slots and push the first button. If the red LED lights - you don't have

Re: Is this the first ever practically-deployed use of a threshold scheme?

2010-08-01 Thread Richard Salz
(In a threshold cryptosystem, the shares would be used in a protocol to perform the desired cryptographic operation [e.g., signing] without ever reconstructing the real secret.) Has real threshold cryptography never been used anywhere? Yes, the root key for the SET consortium was done

Re: Is this the first ever practically-deployed use of a threshold scheme?

2010-08-01 Thread Peter Gutmann
Thierry Moreau thierry.mor...@connotech.com writes: With the next key generation for DNS root KSK signature key, ICANN may have an opportunity to improve their procedure. What they do will really depend on what their threat model is. I suspect that in this case their single biggest threat was

Is this the first ever practically-deployed use of a threshold scheme?

2010-07-31 Thread Peter Gutmann
Apparently the DNS root key is protected by what sounds like a five-of-seven threshold scheme, but the description is a bit unclear. Does anyone know more? (Oh, and for people who want to quibble over practically-deployed, I'm not aware of any real usage of threshold schemes for anything, at

Re: Is this the first ever practically-deployed use of a threshold scheme?

2010-07-31 Thread Jakob Schlyter
On 31 jul 2010, at 08.44, Peter Gutmann wrote: Apparently the DNS root key is protected by what sounds like a five-of-seven threshold scheme, but the description is a bit unclear. Does anyone know more? The DNS root key is stored in HSMs. The key backups (maintained by ICANN) are encrypted