[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Comments on [MANDATORY cert discovery capabiity]
Peter Williams wrote:
>
[snip]
> Im imagining in a Microsoft implementation of this PKIInformation exchange
> in which the activeX enrollment control, which implements the
> more elaborate B.x profiles using RSA, would be supplied to the EE in response
> to
> PKInformation object {ms 1}. Where the CA is not a activeX
> CA (i.e. it sends an error msg), then that same browser needs to fall
> back to non-activeX mechanisms by syncing on initialization information they
> can agree on (i.e. that which the CA optionally provides) and using a
> barebones PKIX-3 minimal, default implementation with DSA cipherSuites, say.
>
> (Take this example figuratively, only.)
Interesting thought, though. Personally, I couldn't imagine the
circumstances under which I'd accept an ActiveX control that wanted to
help me do *anything* with a cert. Boy, talking about opening one's
kimono . . . wanna make a copy of my private key(s) while your here?
PKIs are all about trust and the ActiveX security model is essentially:
"Trust me on this." Sorry, I'm not quite there yet. 8-)
--
/*
* George Capehart email: gwc@vnet.net phone: +1 704.866.9151
*
* PGP ID: George W. Capehart <gwc@vnet.net>
*/