Interface For The Key Recovery Process - Netscape MANAGEMENT SYSTEM 6.0 Installation And Setup Manual
Hide thumbs
Also See for NETSCAPE MANAGEMENT SYSTEM 6.0:
- Manual (302 pages) ,
- Installation and migration manual (66 pages) ,
- Administrator's manual (470 pages)
Table of Contents
Advertisement
Key Recovery Process
splitting or sharing, whereby it splits the PIN that protects the token in which the
storage key pair resides among n number of key recovery agents and reconstructs
the PIN only if m number of recovery agents provide their individual passwords; n
must be an integer greater than 1 and m must be an integer less than or equal to n.
Here's how the m of n secret splitting mechanism gets built and works:
During the installation of a Data Recovery Manager, you generate the storage key
pair and specify the hardware token in which the key pair is to be stored. At this
time, you also specify a PIN (or password) to protect the token, the total number of
key recovery agents (n), and how many of these agents (m) are required to perform
a key recovery operation. You can change the m of n secret splitting later; for
details, see "Key Recovery Agent Scheme" on page 727.
The Data Recovery Manager splits the PIN for the token into n parts or pieces. It
then encrypts these parts with the passwords that are provided by the authorized
key recovery agents.
During the key recovery procedure, the required number of key recovery agents
(m) provide their identifiers and passwords. After verifying the passwords, the
Data Recovery Manager reconstructs the PIN for the token based on the given
information.
Interface for the Key Recovery Process
With the Key Recovery form provided in the Data Recovery Manager Agent
Services interface, key recovery agents can collectively unlock the key repository of
the Data Recovery Manager and retrieve end users' encryption private keys and
associated certificates in a PKCS #12 package, which can then be imported into the
client. For an overview of this process, see "How Agent-Initiated Key Recovery
Works" on page 724.
Because key recovery agents use the Data Recovery Manager Agent Services
interface, agent-initiated key recovery invariably involves the Data Recovery
Manager agent and key recovery agents. The Data Recovery Manager agent's
certificate is required to access the Key Recovery form, and key recovery agents'
passwords are required to unlock the key repository. For information on Data
Recovery Manager agents, see "Agents" on page 373.
Your organization's PKI policy may require that the key recovery process be
restricted to authorized recovery agents only, preventing any Data Recovery
Manager agent from being involved. If so, you should ask all key recovery agents
to get client certificates and set them up as Data Recovery Manager agents. For
instructions, see "Setting Up Agents" on page 391.
722
Netscape Certificate Management System Installation and Setup Guide • March 2002
Advertisement
Table of Contents
