[6874] in cryptography@c2.net mail archive
Re: secret-sharing code
daemon@ATHENA.MIT.EDU (Damien Miller)
Fri Mar 31 21:25:17 2000
Date: Fri, 31 Mar 2000 18:57:14 +1000 (EST)
From: Damien Miller <djm@mindrot.org>
To: John Gilmore <gnu@toad.com>
Cc: Greg Rose <ggr@qualcomm.com>, Steve Bellovin <smb@research.att.com>,
cryptography@c2.net
In-Reply-To: <200003300059.QAA04756@toad.com>
Message-ID: <Pine.LNX.4.10.10003311848480.563-100000@mothra.mindrot.org>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
On Wed, 29 Mar 2000, John Gilmore wrote:
> >>Are there any freely-available secret-sharing packages around? Specifically,
> >>I need to be able to set up modestly complex policies to protect a sensitive
> >>signature key.
> >
> > I use Hal Finney's "secsplit". Google found it in a couple of places; it
> > doesn't seem to have been updated since 1993.
>
> This is why I don't recommend secret-sharing for important DNSSEC
> private keys. Using infrequently maintained software increases the
> risk of losing the key, perhaps years from now when you suddenly
> decide you need it.
FWIW secsplit compiled nearly first try and appears to work fine.
OTOH its format may not be stable across different word sizes or endians
(haven't checked). Though I don't think that it is too unreasonable to
keep old hardware / software around to recoved old data.
A cleaned up secsplit which uses /dev/urandom for randomness can be
found at http://www.mindrot.org/misc/secsplit-1.2.tar.gz
-d
--
| "Bombay is 250ms from New York in the new world order" - Alan Cox
| Damien Miller - http://www.mindrot.org/
| Email: djm@mindrot.org (home) -or- djm@ibs.com.au (work)
