Re: Fwd: [Jsdsi-users] KeyStore
Status: Pre-Alpha
Brought to you by:
sajma
Menu
▾
▴
Re: Fwd: [Jsdsi-users] KeyStore
|
From: Sean R. <sra...@ae...> - 2004-08-14 15:32:36
|
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta content="text/html;charset=ISO-8859-1" http-equiv="Content-Type">
<title></title>
</head>
<body bgcolor="#ffffff" text="#000000">
Dav Coleman wrote:
<blockquote cite="mid...@ma..."
type="cite">
<pre wrap="">
OK, well for now I suppose I can just save/load my keypairs as java
object sreams without a passphrase until I figure out a way to do it
securely. I think I'm starting to get a better mental picture of how
this should look. The application should have
1) some sort of file system storage for the user's personal key pairs
2) some sort of file system storage for the name certificates that
bind public keys to the user's local names
3) some sort of file system storage for auth certificates which define
access to the user's resources
- ideally #1 should be encrypted with a pass phrase, since that's the
only thing with private keys
- I thought I could use a sun java.security.KeyStore for #1 (in memory
and fs), but I can't, and there is no equivalent as of yet in jsdsi
- #2 and #3 don't need any encryption on the file system
- in memory, #2 and #3 can both be in jsdsi.CertStores
- #2 and #3 could actually be in the same jsdsi.CertStore
- there's no defined methods to store/load a CertStore to the fs
</pre>
</blockquote>
#2 and #3 should be combined to just be a single Certificate Store. As
you rightly have seen jsdsi.CertStore (as it folows the JCE and
implements java.security.CertStore) has no methods for certificate
storagre. Paryly because of this, I have played around with how I think
the CertStore stuff should be refactored. It is in a branch called
'branch-jdbc' (as the aim is to produce a JDBC enabled CertStore). It
is still a branch for 2 reasons: 1. I haven't finished it! and 2. The
other developers need to vet it (esp. Sameer).<br>
<br>
<blockquote cite="mid...@ma..."
type="cite">
<pre wrap="">Assuming all the above is correct, my main conceptual confusion now is
with how best to reference the user's keypairs when he needs to use
them (for signing new name certificates or whatever). Let's say I have
two keypairs, one for signing things as 'Dav the private person' and
one for signing things as 'Dav the employee'. I could bind each in a
name certificate (as "me-private" and "me-work" perhaps) and place
them in my own cert store, but when I need to access them that means I
could get the public key from the cert store easily, but the private
key is stored in another collection. Is the standard method to do this
and then search my keypairs for the pubkey match? That would work I'm
sure, but I don't want to reinvent the wheel (badly) if there is a
better way already implemented somewhere.
</pre>
</blockquote>
A 'standard' KeyStore allows you to store your private keys indexed by
a name (i.e. 'work' or 'personal) along with the public key as a
certificate. I would take this approach, with the certificate being
stored an Auto Certificate - that is a self signed Auth Certificate,
probably with some simple info as String Tags, e.g. name and email
address.<br>
<br>
I'll try and hunt down my bouncycastle keystore that works for jsdsi in
the next couple of days.<br>
<blockquote cite="mid...@ma..."
type="cite">
<pre wrap="">
For that matter, am I correct in assuming that a user would have two
keys like that, or is it more in line with the SPKI/SDSI vision that
I'd have one keypair and it would be granted permission to sign things
under differnt roles? I think I read something about that somewhere,
but I can't find it at the moment.
</pre>
</blockquote>
yep, most likely to have 1 keypair per identity/persona.<br>
<br>
<blockquote cite="mid...@ma..."
type="cite">
<pre wrap="">
</pre>
<blockquote type="cite">
<pre wrap="">Stick with SPKI! ;-) (I'm probably biased) Seriously though, I should
imagine that the A&A stuff in SPKI is what you need, and correct me if
I'm wrong, but PGP doesn't really support authorisation?
</pre>
</blockquote>
<pre wrap=""><!---->
I'm sure you're not wrong, I can barely keep my head straight about
all the PGP/X509/SPKI/SDSI stuff I've been reading :)
</pre>
</blockquote>
<br>
<br>
<pre class="moz-signature" cols="72">--
Dr. Sean Radford, MBBS, MSc
<a class="moz-txt-link-abbreviated" href="mailto:sra...@ae...">sra...@ae...</a>
<a class="moz-txt-link-freetext" href="http://www.aegeus-technology.com/">http://www.aegeus-technology.com/</a>
</pre>
</body>
</html>
|
