To:
Paul Hoffman / IMC <phoffman@imc.org>
Cc:
keydist@cafax.se
From:
Derek Atkins <warlord@MIT.EDU>
Date:
07 Jan 2002 22:19:03 -0500
In-Reply-To:
Paul Hoffman / IMC's message of "Mon, 7 Jan 2002 13:23:23 -0800"
Sender:
owner-keydist@cafax.se
Subject:
Re: Definitions of keys and certs
While technically true, generally 'certificate' implies a single blob. In the case of a 'bare public key that you will only trust if you trust a public key that has signed it', at least in the case of DNSSEC, is not a certificate in the conventional sense of the word because the KEY and SIG are separable blobs. Which cryptographically this may be considered a certificate, operationally it is far from it. -derek Paul Hoffman / IMC <phoffman@imc.org> writes: > Let's toss a bit more fat on the fire here. Some people have been > claiming that they only care about bare public keys; I disagree with > a subset of that group. > > A bare public key that you will only trust if you trust a public key > that has signed it is not a public key: it is a part of a > certificate. DNSSEC "keys" are in fact not keys, they are a part of a > certificate. > > A bare public key that you will trust based on out-of-band > information is in fact a public key. SSH public keys usually match > that definition. > > These are not the same thing. > > --Paul Hoffman, Director > --Internet Mail Consortium -- Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory Member, MIT Student Information Processing Board (SIPB) URL: http://web.mit.edu/warlord/ PP-ASEL-IA N1NWH warlord@MIT.EDU PGP key available