On 3/4/21 2:17 PM, Michael Thomas wrote:
My point here isn't to defend how TLS works, it's to say that almost
nothing requires the truly offline verification aspect that x.509
brings to the table.
Emphatically disagree. There are lots of situations requiring "truly
offline" certificate verification.
I can (and have) built a asymmetric key login mechanism that just puts
naked public keys into a user table of a database, for example. The
x.509-first view of the asymmetric keys world has confused a lot of
thinking and had I introduced it to that mechanism it would have
worlds more complex and much harder to understand. Designers should,
dare I say it, be looking at the actual requirements of the system
before settling on a particular solution.
Perhaps you should take your own advice.
Keith