[openssl-users] RFC5077 KWK

Henderson, Karl KHenderson at verisign.com
Thu Apr 5 18:02:17 UTC 2018

Is it possible to use 5077 with a key wrapping key in a Needham-Schroeder scenario:

  *   A is a Key Server
  *   C is say a web server
  *   A has a relationship with C and hence A has key KEYac
  *   B wants to talk to C but doesn’t have a relationship with C
  *   B has a relationship with A
  *   B asks A for a key it can use with C
  *   A generates a KEYbc and wraps it with KEYac giving us KEYbcac with key_name KEYac

Is it possible to construct a 5077 style ticket with KEYbcac that can be transparently unwrapped by C so that B can speak with C using KEYbc? By transparently, I mean without modification to the server C.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20180405/539044c0/attachment-0001.html>

More information about the openssl-users mailing list