Re: SigningTable (was: SigingTable)

From: Murray S. Kucherawy <msk_at_blackops.org>
Date: Sun, 21 Feb 2010 22:21:56 -0800 (PST)

On Sun, 21 Feb 2010, SM wrote:
> I guess that I do not understand how it works. Let's say I have a
> domain example.com and I would like to use different private
> keys/selectors for different groups of users. I have:
>
> sm_at_example.com
> msk_at_example.com
>
> They will be signed with different selectors. I can decide to use the
> same key or different keys for each entry. I'll add these two entries
> to the SigningTable. Now, I need to point them to the selector and the
> domain to use. Once that is done, I map the selector and domain to a
> key in KeyTable.

Close. You would add those two entries to the SigningTable as keys (in
the database sense, not in the crypto sense), with the names of keys (in
the crypto sense) as values. For example:

SigningTable:
         KEY VALUE
         sm_at_example.com key1
         msk_at_example.com key2

Values in the SigningTable become keys to be looked up in the KeyTable.
So in your case, as those are different keys, you might have:

KeyTable:
         KEY VALUE
         key1 example.com:msk-selector:privatekey1
         key2 example.com:sm-selector:privatekey2

...where "privatekeyX" is either an actual private key or the path to one.

> If the mapping is derived from the key, I cannot do:
>
> selector1:example.com:key1
> selector2:example.com:key1

You could do that in the KeyTable if you want selector1 and selector2 to
reference the same private/public key pair.

> From our previous discussion, I understood that it is the selector and
> domain that determines what key to use.

A match in the SigningTable gives you the name of a record in the
KeyTable, and that KeyTable record gives you the signing domain, selector,
and private key to use when generating the signature.
Received on Mon Feb 22 2010 - 06:22:16 PST