[cryptography] key management guidelines

travis+ml-rbcryptography at subspacefield.org travis+ml-rbcryptography at subspacefield.org
Fri Sep 3 14:21:40 EDT 2010


Hey all,

Wondering if anyone has good links for key management documents.

I'm betting that NIST has a SP 800 on it; any others?

I'm curious what best practices are, esp. with details on specific
systems like GPG and OpenSSL.

For example, key length and revocation practices are obvious, but
how about this idea:

On gpg, signatures expire if the signing key expires.  So I create a
large (e.g. 4096-bit) RSA signing-only key, and then create a large
(4096-bit RSA) subkey for encryption with an expiration time of 1
year.  That way, my communication is limited to a year under a key,
but my signatures last.  What do you think of this idea?

It's too bad there isn't a notion of identity seperate from keys.
I suppose email address is one, but they shouldn't have used a key
(which could expire) as a synonym for an identity.  That's like
using a phone number or name as the primary key for a customer
entry in a database.

Writing up a preso on what I do is on my todo list, but I'm sure I
don't have all the answers.

This is kind of a vague request, and intentionally so, because
I really don't know what kind of information is out there.
-- 
It asked me for my race, so I wrote in "human". -- The Beastie Boys
My emails do not have attachments; it's a digital signature that your mail
program doesn't understand. | http://www.subspacefield.org/~travis/ 
If you are a spammer, please email john at subspacefield.org to get blacklisted.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://lists.randombit.net/pipermail/cryptography/attachments/20100903/c108e4fa/attachment.asc>


More information about the cryptography mailing list