Re: Global PKI on DNS?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



> > I don't want to discount the importance of cert discovery, but I do
> > think it's a stretch to believe that you're going to be willing to trust
> > all of the certs that you discover in a chain of significant length, for
> > a significant set of purposes.
> 
> So do you think that there's a necessary difference in trustworthiness
> between the certs that you "discover" when you take your computer out of
> the box, or download the latest browser, and those that you would discover
> via some lookup mechanism?  Even if the certs discovered via that
> mechanism were associated with policies based on explicit agreements
> and terms of use between your organization and the various issuers?

no, I think there's likely to be a difference in the trustworthiness
of a short chain of certs involving a small number of other parties 
vs. that of a long chain of certs involving a larger number of other
parties.  and if the cert discovery mechanism can incorporate 
personal and/or site policy, that's great - as long as it knows 
which policy to use under which circumstances.  

in general I think the longer the cert chain, the narrower the applicability.

Keith


[Index of Archives]     [IETF Annoucements]     [IETF]     [IP Storage]     [Yosemite News]     [Linux SCTP]     [Linux Newbies]     [Fedora Users]