distributed secret key
openssl at eckner.net
Sun May 24 09:58:42 UTC 2020
-----BEGIN PGP SIGNED MESSAGE-----
we're looking into setting up a CA with openssl, but we would like to
distribute the secret key amongst multiple persons. We're aware of
Shamir's secret sharing algorithm, but we'd like to know if there is some
algorithm supported by openssl, that fulfills the following requirements
(2 and 3 are not fulfilled by Shamir's algorithm):
1. Secret key shared amongst N persons, M<N shares sufficient for using
2. No secret material (or parts thereof) needs to be sent around,
preferably not even during creation of the key.
3. Secret key will not be assembled from the shares for the acutal
operation. E.g. each share operates independently, and the intermediate
result is sent around, after M keyparts operated on it, the signature is
complete and can be used.
If this is not supported by openssl, we're also open for suggestions of
other (open source, free-to-use) software, that can achieve this and
creates standard X.509 certificates (not sure if I termed that correctly).
Thank you in advance!
-----BEGIN PGP SIGNATURE-----
-----END PGP SIGNATURE-----
More information about the openssl-users