[LINK] RE: [ICA] Demolition Job on Digital Signatures
Mon, 13 Nov 2000 20:28:39 +1100 (EST)
Most of the complains raised under the heading "The X.509v3 Standard"
have more to do with government policies or PKI implementation in general
rather than standard based. X.509v3 might have imperfections but the
complains raised are not them. Key-pair generation and keys
storage are out of scope for X.509v3. Read the spec.
ITU-T X.509 (11/9306/97)
11.1 Generation of key pairs
The overall security management policy of an implementation shall define
the lifecycle of key pairs, and is, thus, outside the scope of the
authentication framework. However, it is vital to the overall security
that all private keys remain known only to the user to whom they belong.
Key data is not easy for a human user to remember, so a suitable method
for storing it in a convenient transportable manner shall be employed. One
possible mechanism would be to use a Smart Card.
This would hold the secretprivate and (optionally) public keys of the
user, the user's certificate, and a copy of the certification authority's
public key. The use of this card shall additionally be secured by,
e.g. at least use of a PIN (Personal Identification Number), increasing
the security of the system by requiring the user to possess the card and
to know how to access it. The exact method chosen for storing such data,
however, is beyond the scope of this Directory Specification.