OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Re: PRIMAIRY KEY Authorisation DBase/ registration utility?
From: Joseph Ashwood (ashwoodmsn.com)
Date: Fri Apr 28 2000 - 14:51:15 CDT

Well I can't answer all of your questions, because you don't give us
all the information needed (the most important of which is what kind
of certificate? X.509 differs greatly in most of these regards
compared to PGP). I'm assuming taht you wan the answers for X.509
certificates (used for S/MIME, SSL, etc)

> 1. What is a good primairy key to link the cert to the authorisation
> database, also when we take into account that the cert is changing
every
> 2 years.
The verisign root, it's the most wide spread, and most trusted.

> 2. How do these customers fill their databases using different CA's.
> They want to be proactive and fill the dbase on forehand but it is
not
> possible to have all certs distrubuted from the ca. On the otherhand
it
> is only possible to have some kind of registration utility that
makes it
> possible to register, show your cert and the "registration officer"
puts
> it in the dbase. The registration util must also cope with changes
and
> canceling subscribtion Any registration utilities available for the
> web??

I'm not aware of any offhand, but I'm sure there's something
available.

> 3. Looking at the EU regulations. It is better to use two keypairs.
One
> for Signing and one for encryption. What key-usages should be in
which
> cert (extended key-usages like client authentication, file
encryption,
> e-mail protection?) Are there any tests available on how
applications
> like NS/M$ deal with two key-pairs. My first experience is that it
is a
> total dark forrest...

Mark one key for everything except signing, mark the other for signing
only. Again I'm not sure if NS andM$ deal with them properly, but if
you have a cert it's easy enough to test.
                Joe