[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Self-signed root transport and CA expiration

To: Tim Dierks <timd@xxxxxxxxxxxxx>
Subject: Re: Self-signed root transport and CA expiration
From: Ned Smith <nsmith@xxxxxxxxxxxxxxxxxx>
Date: Tue, 19 Nov 1996 16:22:29 -0800
Cc: <ietf-pkix@xxxxxxxxxx>

At 04:02 PM 11/18/96 -0800, Tim Dierks wrote:
>
>The solutions seem pretty clumsy: either construct some heuristic to
>determine which key a certificate was issued with (based on validity times,
>perhaps), or require that validating applications iterate across potential
>issuers with identical names, attempting to verify the signature with each
>key (which would be very expensive).
>
> - Tim Dierks
>
>[Please forgive my submitting this to ssl-talk, smime-dev, and ietf-pkix]
>
>Tim Dierks - timd@consensus.com - www.consensus.com
>     Software Haruspex - Consensus Development
>  Developer of SSL Plus: SSL 3.0 Integration Suite

Have you considered the possibility of including the issuer public key in
the subject's certificate? That way every certificate is a self-signed cert.
Users(applications) that become reasonably familiar with any particular
public key - and therefore trust it implicitly could choose not to verify to
the root to obtain a self-signed cert.

Regards,
Ned Smith
Ned Smith~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Intel Architecture Labs  2111 N.E. 25th Ave.  Hillsboro, OR. 97124     
Ph: 503.264.2692 Fax: x1805  Email: mailto:nsmith@ibeam.intel.com   
http://www.intel.com/ial/security/index.htm
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Prev by Date: UNSUBCRIBE
Next by Date: Delivery-Report (failure) for deane.erwin@gsa.gov
Previous by thread: RE: Self-signed root transport and CA expiration
Next by thread: RE: Self-signed root transport and CA expiration
Index(es):
- Date
- Thread