Re: Fwd: [Jsdsi-users] KeyStore
Status: Pre-Alpha
Brought to you by:
sajma
Menu
▾
▴
Re: Fwd: [Jsdsi-users] KeyStore
|
From: Dav C. <dav...@gm...> - 2004-08-13 16:56:23
|
On Fri, 13 Aug 2004 00:49:24 +0100, Sean Radford <sra...@ae...> wrote: > Saving a KeyPair to file.... For this I think we really need an > implementation of a KeyStore that supports JSDSI objects (well > SExpressions really). If I remember correctly the Sun and BouncyCastle > ones do not work (you can save but they have trouble loading). I did > have a modified BouncyCastle keystore a long time back that worked(I > took the original source and added about 3 lines of code) - not sure > where it is now but could hunt down I guess... > > To store other peoples public keys one would create NameCertificates for > them and store them in a CertStore. If there is a limited number of > proof searching using a jsdsi.Prover is not required I guess you could > use a KeyStore? OK, well for now I suppose I can just save/load my keypairs as java object sreams without a passphrase until I figure out a way to do it securely. I think I'm starting to get a better mental picture of how this should look. The application should have 1) some sort of file system storage for the user's personal key pairs 2) some sort of file system storage for the name certificates that bind public keys to the user's local names 3) some sort of file system storage for auth certificates which define access to the user's resources - ideally #1 should be encrypted with a pass phrase, since that's the only thing with private keys - I thought I could use a sun java.security.KeyStore for #1 (in memory and fs), but I can't, and there is no equivalent as of yet in jsdsi - #2 and #3 don't need any encryption on the file system - in memory, #2 and #3 can both be in jsdsi.CertStores - #2 and #3 could actually be in the same jsdsi.CertStore - there's no defined methods to store/load a CertStore to the fs Assuming all the above is correct, my main conceptual confusion now is with how best to reference the user's keypairs when he needs to use them (for signing new name certificates or whatever). Let's say I have two keypairs, one for signing things as 'Dav the private person' and one for signing things as 'Dav the employee'. I could bind each in a name certificate (as "me-private" and "me-work" perhaps) and place them in my own cert store, but when I need to access them that means I could get the public key from the cert store easily, but the private key is stored in another collection. Is the standard method to do this and then search my keypairs for the pubkey match? That would work I'm sure, but I don't want to reinvent the wheel (badly) if there is a better way already implemented somewhere. For that matter, am I correct in assuming that a user would have two keys like that, or is it more in line with the SPKI/SDSI vision that I'd have one keypair and it would be granted permission to sign things under differnt roles? I think I read something about that somewhere, but I can't find it at the moment. > Stick with SPKI! ;-) (I'm probably biased) Seriously though, I should > imagine that the A&A stuff in SPKI is what you need, and correct me if > I'm wrong, but PGP doesn't really support authorisation? I'm sure you're not wrong, I can barely keep my head straight about all the PGP/X509/SPKI/SDSI stuff I've been reading :) -- Dav Coleman http://AkuAku.org/ |
