


   SPX Version 2.2                                                 spxinit(1)



   Name
     spxinit - establish SPX claimant credentials

   Syntax
     spxinit [-lv] [-k key_size] [-t hours] [-c ca_name] [-n fullname]

   Description
     We would like to avoid placing the user's long term private key in the
     system, since this would have severe consequences if a system is
     compromised.  Instead, the _s_p_x_i_n_i_t command is used to establish a cryp-
     tographic state which represents a claimant principal for a limited
     validity interval.  SPX credentials permit a principal to strongly
     authenticate on behalf of its global identity to verifier principals.
     Credentials are stored in the /tmp directory in files protected by the
     operating system by the processes UID.  Use _s_p_x_l_i_s_t to list the
     credential's contents.

     For information about registering as a SPX user and obtaining keys, see
     the _s_p_x(_1) manual page.

     When you use _s_p_x_i_n_i_t without options, the domain prefix is taken from
     either ~/cdc.conf or /etc/cdc.conf. The user must supply a valid SPX
     password when prompted, and then _s_p_x_i_n_i_t tries to contact a CDC server
     for that domain.

     If all goes well, a delegation RSA key (of the specified key size) is
     generated, and a "login ticket" is created using the principal's long
     term private key to certify the short term delegation key.  Now, the
     delegation key is said "to speak for the principal" for a brief time
     interval.  Also, SPX retrieves the principal's Trusted Authorities (TA)
     certificates and any superior TA certificates up to the domain prefix.
     These TA public keys are cached as a trusted knowledge base of keys to
     use in authenticating other principals. SPX then puts the login ticket
     and TA public keys in a file named /tmp/claimant__u_s_e_r_n_a_m_e for the local
     username.  Next, the user can use SPX strong authentication in applica-
     tions such as _f_l_o_g_i_n, _f_c_p _a_n_d _f_s_h.

     The _s_p_x_d_e_s_t_r_o_y command should be placed in the user's ._l_o_g_o_u_t file so
     that delegated credentials will be automatically destroyed when the user
     logs out.

   Options

     -k _k_e_y__s_i_z_e         The approximate desired modulus size for the delega-
                         tion key, in bits.  (default is  384)

     -t _h_o_u_r_s            Number of hours the credentials are valid.  (default
                         is 12)  The maximum is 24 hours.  If 0 is specified,
                         the credentials are actually valid for 15 minutes.

     -l                  Get certificates and encrypted private key from
                         local files to init credentials.



   Digital Equipment Corporation                                            1






   spxinit(1)                                                 SPX Version 2.2


     -c _c_a__n_a_m_e          CA name.  Overrides SPHINX_LOCAL_CA variable.
                         (default is 'OU=Users')

     -n _f_u_l_l_n_a_m_e         Specifies the fullname to be used to assemble the
                         principal's global identity.  Can either specify a
                         full X.500 name (i.e., "/C=US/...") or the last AVA
                         of your name (i.e., "John Smith").  By default, the
                         SPHINX_LOCAL_NAME variable is used.  If this doesn't
                         exist, the name is prompted.

     -v                  Verbose mode

   Files
     /etc/cdc.conf /tmp/claimant__n_a_m_e

   See Also

     spx(1), spxdestroy(1), spxlist(1)






































   2                                            Digital Equipment Corporation


99