Re: What ASN.1 got right

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 3/4/21 7:52 AM, Nico Williams wrote:
On Thu, Mar 04, 2021 at 09:57:47AM -0500, Phillip Hallam-Baker wrote:
X.509 is really optimized around the totally offline case. And that is a
bad choice for many applications. But it does work for some.
No, that's not it.

X.509 tries to minimize online infrastructure, but not to zero.

In particular, it minimizes *state*.
Um, why should we care about that? Nothing else cares about holding state.
Now, if you start binding public keys to users via a directory, you'll
be unhappy because you'll have all the problems directories have, and
because you might get the schema wrong and allow only one key per-user,
and even if you don't get the schema wrong you'll have a garbage
collection problem, and even if you manage to solve that with
expirations then the act of registering new keys is still more complex
than the act of signing new certificates.

Oh brother. When you start arguing that people might get implementations wrong, you're grasping at straws. All of the sites that I've used that allow public key authentication have groked that there might be more than one key like, oh say, github. This is complete nonsense. People might issue certs for a 150 years too.
Mike




[Index of Archives]     [IETF Annoucements]     [IETF]     [IP Storage]     [Yosemite News]     [Linux SCTP]     [Linux Newbies]     [Mhonarc]     [Fedora Users]

  Powered by Linux