Key Recovery Process722 Netscape Certificate Management System Installation and Setup Guide • May 2002splitting or sharing, whereby it splits the PIN that protects the token in which thestorage key pair resides among n number of key recovery agents and reconstructsthe PIN only if m number of recovery agents provide their individual passwords; nmust be an integer greater than 1 and m must be an integer less than or equal to n.Here’s how the m of n secret splitting mechanism gets built and works:During the installation of a Data Recovery Manager, you generate the storage keypair and specify the hardware token in which the key pair is to be stored. At thistime, you also specify a PIN (or password) to protect the token, the total number ofkey recovery agents (n), and how many of these agents (m) are required to performa key recovery operation. You can change the m of n secret splitting later; fordetails, see “Key Recovery Agent Scheme” on page 727.The Data Recovery Manager splits the PIN for the token into n parts or pieces. Itthen encrypts these parts with the passwords that are provided by the authorizedkey recovery agents.During the key recovery procedure, the required number of key recovery agents(m) provide their identifiers and passwords. After verifying the passwords, theData Recovery Manager reconstructs the PIN for the token based on the giveninformation.Interface for the Key Recovery ProcessWith the Key Recovery form provided in the Data Recovery Manager AgentServices interface, key recovery agents can collectively unlock the key repository ofthe Data Recovery Manager and retrieve end users’ encryption private keys andassociated certificates in a PKCS #12 package, which can then be imported into theclient. For an overview of this process, see “How Agent-Initiated Key RecoveryWorks” on page 724.Because key recovery agents use the Data Recovery Manager Agent Servicesinterface, agent-initiated key recovery invariably involves the Data RecoveryManager agent and key recovery agents. The Data Recovery Manager agent’scertificate is required to access the Key Recovery form, and key recovery agents’passwords are required to unlock the key repository. For information on DataRecovery Manager agents, see “Agents” on page 373.Your organization’s PKI policy may require that the key recovery process berestricted to authorized recovery agents only, preventing any Data RecoveryManager agent from being involved. If so, you should ask all key recovery agentsto get client certificates and set them up as Data Recovery Manager agents. Forinstructions, see “Setting Up Agents” on page 391.