distributed secret key

Erich Eckner openssl at eckner.net
Sun May 24 09:58:42 UTC 2020


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Hi,

we're looking into setting up a CA with openssl, but we would like to 
distribute the secret key amongst multiple persons. We're aware of 
Shamir's secret sharing algorithm, but we'd like to know if there is some 
algorithm supported by openssl, that fulfills the following requirements 
(2 and 3 are not fulfilled by Shamir's algorithm):

1. Secret key shared amongst N persons, M<N shares sufficient for using 
the key.

2. No secret material (or parts thereof) needs to be sent around, 
preferably not even during creation of the key.

3. Secret key will not be assembled from the shares for the acutal 
operation. E.g. each share operates independently, and the intermediate 
result is sent around, after M keyparts operated on it, the signature is 
complete and can be used.

If this is not supported by openssl, we're also open for suggestions of 
other (open source, free-to-use) software, that can achieve this and 
creates standard X.509 certificates (not sure if I termed that correctly).

Thank you in advance!

Regards,
Erich

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEE3p92iMrPBP64GmxZCu7JB1Xae1oFAl7KRVMACgkQCu7JB1Xa
e1rhyBAAvzJUrwcyRLpdme/mWsF/ftuA8nqv/ccw4be9Q1Y/S72MU/7UhKW2dBE0
jp2tBV4zq5D3i37ElCy+Mco97cCQ+Ikg3pOtYaMYkK0hoybBlyX6onX0Y7jQhP2W
N2v07HaN5RxtunxJgh7wUkWMy5arigKY9e645vJh5c8Ii5pwBb8QMwwMUJfb/1Hv
5yrF4x8la3lmqQSsAwkj0FFhAAmh+Xe/v4D+uoEzmTHY7vi9hGJsAAYNmJkwsIAb
M/lK43wZRAXVbotFOVrud10wchBOSUtY0w6T5apmNJ/ArA61EbuFVtUUjjBYiv87
oVxr+3pydjJLDW4WczcKLKQdNbhGPhmmz4DDHxvhLXSTrtFAPUm4Qb3VeM1AO0it
Gs943eoBkUrga6813sBmulbtM3fnfDbJro0/ZqQnh4/vRKQUy6LvMj2W/M/8Fn1C
M8um53J35/BAakZhOHaNvDrVty4bEJ0y1fNs7JNNpQfB+WjL8C04g2uExNJmAKgG
0dmZxDNGrPLKrltz+R39j0gbA4P1hnYkcgAYFcGho0z468IV5sgleHN3FhAp1qr5
/TAuD2rwuPxT9wXf726n09iYJpq6jVhpBuF74mBNbyDdTzeeJtVq9mqngmhWqOCw
KJcTXIhIem2wTA2yfhzf1PNK58hU55/lB36TnRryapp1rXLu1uU=
=+60v
-----END PGP SIGNATURE-----


More information about the openssl-users mailing list