OpenSSL + ADK

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

OpenSSL + ADK

ed.edward
X-No-Archive: Yes


Hi,

I recently read PGP Enterprise doc and found the concept of
Additional
Decryption Keys ADK.

What are Additional Decryption Keys? According to the doc, An
Additional
Decryption Key (ADK) is a data recovery tool. This allows the
owner(s) of the Additional Decryption Key to decrypt any
information sent to the
user.

In my opinion, this is powerful security tool in situations
where an
employee is injured, incapacitated, or terminated, leaving
valuable
information encrypted.

If the security policy requires to enforce use of an ADK in PKI
environment and any information encrypted to a user’s key is also
encrypted with the Additional Decryption Key (public key).

How to implement ADK and force its usage in an OpenSSL
environment,
when a CA for example issue an PKCS12 for end-users?

Could "-certfile filename" option of pkcs12 command lead to
the same
concept of ADK?

Regards


--
Ed.

Accédez au courrier électronique de La Poste : www.laposte.net ;
3615 LAPOSTENET (0,34€/mn) ; tél : 08 92 68 13 50 (0,34€/mn)



______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: OpenSSL + ADK

Vadym Fedyukovych
ed.edward wrote:

> X-No-Archive: Yes
>  
>
> Hi,
>
> I recently read PGP Enterprise doc and found the concept of
> Additional
> Decryption Keys ADK.
>
> What are Additional Decryption Keys? According to the doc, An
> Additional
> Decryption Key (ADK) is a data recovery tool. This allows the
> owner(s) of the Additional Decryption Key to decrypt any
> information sent to the
> user.
>
> In my opinion, this is powerful security tool in situations
> where an
> employee is injured, incapacitated, or terminated, leaving
> valuable
> information encrypted.
>
> If the security policy requires to enforce use of an ADK in PKI
> environment and any information encrypted to a user’s key is also
> encrypted with the Additional Decryption Key (public key).
>
> How to implement ADK and force its usage in an OpenSSL
> environment,
> when a CA for example issue an PKCS12 for end-users?

I'd read standards (PKCS-12 and related) and
implement the functions wanted according to the specifications.
It might be do-and-try process in case it's not quite clear
exactly what new functions you'd like to have.

In case you'd like some help: I'm interested in a short-term project,
a paid one. Affordable.

> Could "-certfile filename" option of pkcs12 command lead to
> the same
> concept of ADK?

pkcs12 was designed to put certificates (and keys) into PKCS-12 bags

Regards,
Vadym

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]