Erich Eckner <[email protected]> wrote: > we're looking into setting up a CA with openssl, but we would like to > distribute the secret key amongst multiple persons. We're aware of > Shamir's secret sharing algorithm, but we'd like to know if there is some > algorithm supported by openssl, that fulfills the following requirements > (2 and 3 are not fulfilled by Shamir's algorithm):
> 1. Secret key shared amongst N persons, M<N shares sufficient for using
> the key.
> 2. No secret material (or parts thereof) needs to be sent around,
> preferably not even during creation of the key.
So you want to split a secret, but then not send anything to anyone?
I don't really understand this at all. I don't think it's physically
possible. Maybe you could restate your requirement in another way.
> 3. Secret key will not be assembled from the shares for the acutal
> operation. E.g. each share operates independently, and the intermediate
> result is sent around, after M keyparts operated on it, the signature is
> complete and can be used.
I guess you want a system where the shares can be added after
"exponentiation" rather than before.
> If this is not supported by openssl, we're also open for suggestions of
> other (open source, free-to-use) software, that can achieve this and
> creates standard X.509 certificates (not sure if I termed that correctly).
I believe that Phillip Hallam-Baker's
Threshold Modes in Elliptic Curves
draft-hallambaker-threshold-02
may fullfil your needs. It might even satisfy (2), but I'm not sure it
satisfies (1). It may be that you don't need to satisfy (1).
I know that Phil has running code, but I don't think it's based upon openssl.
--
] Never tell me the odds! | ipv6 mesh networks [
] Michael Richardson, Sandelman Software Works | IoT architect [
] [email protected] http://www.sandelman.ca/ | ruby on rails [
signature.asc
Description: PGP signature
