To:
dnssec@cafax.se
Cc:
lewis@tislabs.com
From:
Edward Lewis <lewis@tislabs.com>
Date:
Fri, 31 Aug 2001 17:45:25 -0400
Delivery-Date:
Sun Sep 2 14:24:25 2001
In-Reply-To:
<Pine.BSO.4.33.0108312110090.11836-100000@fonbella.crt.se>
Sender:
owner-dnssec@cafax.se
Subject:
Re: CERTificates and public keys
First, this thread got a bit larger than it needed - there is (should be) little debate about the relative flexibility of public key structures and certificate structures (obviously because a public key is an important ingrediant of a certificate). There is also no reason to argue that DNS (with or without DNSSEC) is in any way a PKI. The original question was whether or not certificates made sense in applications - and the one Wes and I had in mind was SSH (as a starter). SSH has no current certificate processing code in it - that can be easily overcome. What is problematic is the lack of a PKI to produce certificates for SSH - and the lack of a defined means of chaining trust through "SSH" certificates. My sense of this thread is that the debate of "public key versus certificate" is one that cannot be generalized. The issue is an application-by-application problem. I guess a future mental exercise is to design a "PKI" (and I don't mean reimplement OpenSSL) infrastructure for SSH. (This would be off-topic for this list.) -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Edward Lewis NAI Labs Phone: +1 443-259-2352 Email: lewis@tislabs.com You fly too often when ... the airport taxi is on speed-dial. Opinions expressed are property of my evil twin, not my employer.