On Sat, Mar 15, 2008 at 12:12 PM, Mick <[EMAIL PROTECTED]> wrote: > On Saturday 15 March 2008, Kyle Hamilton wrote: > > It's rather infeasable to keep the same private key and generate a new > > public key. If you keep the private key after the expiration of the > > certificate, you can still decrypt messages encrypted to it; thus, if > > you generate a new pub/priv pair, you just need to keep the old key, > > and use all the keys you have to try to decrypt until one works. > > Thanks Kyle, > > Doesn't what you suggest create a headache? Every time I want to decrypt an > old message I sent or I received, or a file, I will need to change the mail > client configuration and point it to another private key. Keeping the same > key overcomes this problem. Have I got this right? Why is it not feasible > to retain the same private key?
If you want to decrypt an old message sent to you from the private key, you keep the certificate that contains the public key associated with it. This costs storage on the receiver. If you want to decrypt a message sent to the private key from the old public key, you keep the private key associated with that public key. Most mail clients allow you to have multiple keypairs, and identify which to use by the key used to encrypt them. The certificate is a means of specifying the 'policy' associated: 'do not use this key for new encryption after X date/time.' It's infeasable to generate a new public key associated with the same private key because of the mathematics involved. If a new public key could be derived at-will from the private key, then a new private key could be derived at-will from the public key, which would rather defeat the entire security of asymmetric-key cryptography. (The function which must be solved is the same both ways -- if one way can be solved easily, the other way can be solved just as easily.) -Kyle H ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
