On Thu, May 04, 2006 at 05:28:18AM +0100, James Westby wrote: > On (03/05/06 20:29), Grant Thomas wrote: > > When large buildings are keyed for locks, locks can be keyed for > > different layers of security. > > > > So, there might be the highest key, or skeleton key's used in old > > houses that opened all the doors, and multiple levels of sub keys, > > down to a key that opens only one lock. > > > > I think I have a grasp on the basics of PKI as it relates to X.509 > > certificates, but I'm wondering if there is a PKI implementation that > > allows for multiple layers of access built into the keys themselves. > > PKI is for authentication, not for access control. >
This statement may be true, but only in a very narrow sense that escapes me. PKI stands for Public Key Infrastructure. It has to do with *public* keys, which are used for encrypting information. Encryption is commonly believed to be a way to control access to information. One may have access to an encrypted document but, without the key for decrypting it, one does not have access to the information. OTOH, I think that OP's question does reveal a misunderstanding of dual key cryptography. Suppose a business wants to have an information 'czar' who has access to all business documents generated by employees of the business in the conduct of their work. For this, dual key encryption has little to offer over more traditional single key encryption in which the same key is used to both encrypt and decrypt. For the 'czar' to fulfil his duties, he needs to have under his control a private database of company keys. Unlike real physical keys to doors, he does not have to carry these keys around in a pants pocket. He can't use them unless he is sitting at a computer that has access to company documents in digital form. For him, there is no particular benefit in having just one key for his personal use, and, in any case, it is easy for him to encrypt his database and keep in his posession only the decryption key of his database. So it seems to me that a layered structure for public keys has no target audience of potential users, and therefore may very well not have been invented. But there are lots of useless inventions in this world, so there may be proposals for layered dual key systems. The whole business of certificates and certificate authorities has to do with publishing reliable information about who has *access* to the private key that matches a published public key. Here layering seems to be already implemented, but has little similarity to the layer structure of physical keys to doors in a building. PKI is a tricky business with lots of nasty little problems for which solutions must be invented and implemented. An analogy to the keying of a building only hides its real difficulties. -- Paul E Condon [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
