On 3/2/2021 4:00 PM, George Michaelson wrote:
> X.500 is complicated because names are complicated.
Well, no. George, I worked on X.500 at the same time you did, and my
conclusions are different. X.500 names main source of gratuitous
complexity what that they embedded an arbitrary hierarchy. If I remember
correctly, the name hierarchy in X.500 embedded things like country
name, telecom company name, city, street, company (aka, organization),
department (a.k.a., organization unit), maybe several levels of those,
and then common name.
On 3/2/21 2:27 PM, Phillip Hallam-Baker wrote:
So I just looked up ssh certificates which I think somebody mentioned. This is a prime example of throwing needless complexity at a problem. If you just added the user's public keys to, say, an LDAP repo, you get the scaling they claim to be solving for, and avoid all of the needless complexity of issuing certs and installing them on the client. The client ssh doesn't need to do anything different as bonus. With LDAP you get the added bonus that it can dish out attributes for things like roles and permissions, which would be a giant headache if it had to be done with reissued certs every time your role or permission changed.
I'm trying to think of major things that use public key authentication. There's TLS with certs, DKIM using raw public keys, and SSH mainly using raw public keys. Am I missing anything else that is widely deployed? DNSsec and BGP are still pretty skimpy from what I can tell.
