Usage key triplet generation process
The usage key triplet generation requires the left and right master key passphrases, and thus the presence of the key holders. Two key holders for the two public subkeys of each usage key triplet are also required. The key holders can be the same persons.
Figure 1 illustrates the process.
The encrypted master key is read from file and using the two master passphrases is decrypted in main memory only. From this decrypted version of the master key each usage key triplet is generated by encrypting the master key with a new pair of passphrases.
The result of this process is the private triplet subkey, which must be stored in the key directory of the Safer Payments installation. Because the file system of the Safer Payments server host is a protected area, this provides an added level of security.
A good key generation practice is to generate a number of usage key triplets in advance and then use them when they are needed.