-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Mohan Radhakrishnan escribió: > Hi, > We have come across tools like SSSS. Can I use these in Windows ? I am > trying to split the public key. We are the encryptors. Does that make sense ?
Well, there are tools implementing SSSS in Windows, but I think different implementations are not compatible with each other. The only open source implementation I have found is the one available at http://point-at-infinity.org/ssss/ I was told the souce code is simple enough to make an updated version for windows, but I lack the skill needed to do it, and the person that told me it won't do it unless the organization in which we are involved require the tool. So maybe the easiest way would be to install ubuntu in a machine (maybe a virtual machine), install SSSS from ubuntu's repositories, and use it on that platform. I think people would find SSSS a lot more reliable if GnuPG includes (and maintain it) as a complement of GnuPG, that way we would know it will be available as long as GnuPG is available, but I understand they can't implement each and every tool somebody thinks desirable to have. Now, about splitting the public key, it doesn't make sense to me, since the public key is, by definition, public, you don't need to keep it secret or safe. What you MUST keep secret and safe is the private key. I took a look at PCI DSS v1.2.1, and found: 3.6.6 Split knowledge and establishment of dual control of cryptographic keys. 3.6.6 Verify that key-management procedures are implemented to require split knowledge and dual control of keys (for example, requiring two or three people, each knowing only their own part of the key, to reconstruct the whole key). IMHO, it refers to the secret part of the key, not to the public part. When you say you are the encryptor, I suppose you mean you are the party sending the information, which, at first sight, don't require to handle private keys, unless you are also signing the message. > Looks like according to PCI, GPG is not compliant because there is no > mechanism to split keys using GPG. Is there a way ? If I understood it right, yes, GPG is not compliant because it doesn't include an "out of the box" tool to archive that. But maybe we can be creative and find a way to solve the problem. Private keys can be protected by a passphrase, and if the passphrase is strong enough, _maybe_ the key will be protected with an encryption stronger than the key itself. With that in mind, why don't we split the passphrase, instead of splitting the key? That workaround looks fine _to me_, but I'm not an expert, and I'm not an auditor of PCI DSS compliance, so I don't really know if it would be a good solution. Best Regards -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQEcBAEBCAAGBQJL2IzFAAoJEMV4f6PvczxABpIH/277OWwrwqC5uqTMfdepCpOl xbn/dNFghWFrwnJ4cMhv049sB3RMmmmaONFeGDDs0SUarC6S5lUCG4jr7lpg2p0F 0zxg7E5ddDhs1MNxSkAZVnXm1pLIl4Y3vYskyEh0W7b4iShLXC700clSk7m4fnWY EzKCzTvOhfvatMHsifNNAyeCPEaqsbKPOxSq/sVqa/173NMz7xb9coPyca2CQeKT va6Uf+AFvxgy+W60ymWKKzzKi15DkmAQNgtmbQOkBF9xvEZPsNtKepqfjX6CNRn2 Eo7+kHUBusL8zb/XtYfwVYckFKk7ApY58QpTLilTdEi06gwMSpg/pxGggG3KIWw= =JhoP -----END PGP SIGNATURE----- _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
