[LINK] RE: [ICA] Demolition Job on Digital Signatures

[rsedc@urgento.gse.rmit.EDU.AU]

Most of the complains raised under the heading "The X.509v3 Standard"
have more to do with government policies or PKI implementation in general
rather than standard based. X.509v3 might have imperfections but the
complains raised are not them. Key-pair generation and keys
storage are out of scope for X.509v3.  Read the spec.

	<quote>

    ITU-T X.509 (11/9306/97)

    11.1 Generation of key pairs

    The overall security management policy of an implementation shall define
    the lifecycle of key pairs, and is, thus, outside the scope of the
                     ^^^^^^^^^                ^^^^^^^^^^^^^^^^^
    authentication framework. However, it is vital to the overall security
    that all private keys remain known only to the user to whom they belong.

    Key data is not easy for a human user to remember, so a suitable method
    for storing it in a convenient transportable manner shall be employed. One
    possible mechanism would be to use a Smart Card.

    This would hold the secretprivate and (optionally) public keys of the
    user, the user's certificate, and a copy of the certification authority's
    public key. The use of this card shall additionally be secured by,
    e.g. at least use of a PIN (Personal Identification Number), increasing
    the security of the system by requiring the user to possess the card and
    to know how to access it. The exact method chosen for storing such data,
                                  ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
    however, is beyond the scope of this Directory Specification.
                ^^^^^^^^^^^^^^^^

	</quote>



--
David Chia,
RMIT University