2. I have read the RFC's containing the standards, but is there any
standard about how keys will be kept and managed. For example,
would I be able to have many different programs generate keys, and
have my version of PEM be able to keep one central database of
keys. Also, how do I collect public keys from 20 different programs
and put them on one ring?
No, the PEM RFCs do not specify how keys are to be stored or protected.
That is considered a "local matter". Most implementations are storing them
on floppy disk, encrypted using some sort of a password scheme. Smart card
implementations are highly desirable in this environment, but are not yet
available.
The general purpose security toolkit SecuDE which also includes a PEM
implementation
does use smartcards. While the SecuDE software is freely available, the
integrated
smartcard system (to be connected via the serial interface the the host system
and
doing RSA in the reader and DES in the card and the reader) is a commercial
product.
For more information ftp to darmstadt.gmd.de, directory pub/secude.
Wolfgang Schneider