To:
Paul Hoffman / IMC <phoffman@imc.org>
Cc:
keydist@cafax.se
From:
Derek Atkins <warlord@MIT.EDU>
Date:
07 Jan 2002 22:19:03 -0500
In-Reply-To:
Paul Hoffman / IMC's message of "Mon, 7 Jan 2002 13:23:23 -0800"
Sender:
owner-keydist@cafax.se
Subject:
Re: Definitions of keys and certs
While technically true, generally 'certificate' implies a single blob.
In the case of a 'bare public key that you will only trust if you
trust a public key that has signed it', at least in the case of
DNSSEC, is not a certificate in the conventional sense of the word
because the KEY and SIG are separable blobs. Which cryptographically
this may be considered a certificate, operationally it is far from it.
-derek
Paul Hoffman / IMC <phoffman@imc.org> writes:
> Let's toss a bit more fat on the fire here. Some people have been
> claiming that they only care about bare public keys; I disagree with
> a subset of that group.
>
> A bare public key that you will only trust if you trust a public key
> that has signed it is not a public key: it is a part of a
> certificate. DNSSEC "keys" are in fact not keys, they are a part of a
> certificate.
>
> A bare public key that you will trust based on out-of-band
> information is in fact a public key. SSH public keys usually match
> that definition.
>
> These are not the same thing.
>
> --Paul Hoffman, Director
> --Internet Mail Consortium
--
Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory
Member, MIT Student Information Processing Board (SIPB)
URL: http://web.mit.edu/warlord/ PP-ASEL-IA N1NWH
warlord@MIT.EDU PGP key available