[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Software for PKI
the point was that there are integrity exposures with the current SSL
domain name certificates .... because of its dependancy on the domain name
infrastructure. There are proposals to fix the problem by registering
public keys in the domain name system.
The claim is that if public keys are in the domain name system as part of
fixing the issue for TTP CAs ... then it is relatively trivial for the
domain name infrastructure to start using those public keys ... including
current domain name infrastructure facilities to "serve-up" those keys in
online, real-time requests. The observations is that if the problem was
fixed for the TTP CAs that the fix is also the seed for eliminating the
need for the SSL domain name certificates.
Furthermore, the claim is that such an implementation (once the keys are
being registered) is a much, much simpler (KISS) deployment for online,
real-time information that what it would take to turn the current SSL
domain name certificate manufactoring infrastructure into a real PKI (aka
real-time serving of public keys is much better and simpler strategry with
domain name infrastructure .... than trying to turn an offline-world design
point certificates into a PKI).
ekr.rtfm.com at 11/8/2001 10:39 am wrote:
Yes, that's true. So? It's still better than nothing which is what
we had before.
-Ekr
--
[Eric Rescorla ekr@xxxxxxxx]
http://www.rtfm.com/