To:
"RL 'Bob' Morgan" <rlmorgan@washington.edu>
cc:
Keith Moore <moore@cs.utk.edu>, openssl-users@openssl.org, ietf <ietf@ietf.org>, isdf@isoc.org, Key Distribution <keydist@cafax.se>
From:
Keith Moore <moore@cs.utk.edu>
Date:
Wed, 12 Jun 2002 13:15:34 -0400
In-reply-to:
(Your message of "Wed, 12 Jun 2002 09:57:06 PDT.") <Pine.LNX.4.44.0206120951000.14168-100000@perx.cac.washington.edu>
Sender:
owner-keydist@cafax.se
Subject:
Re: Global PKI on DNS?
> > I don't want to discount the importance of cert discovery, but I do > > think it's a stretch to believe that you're going to be willing to trust > > all of the certs that you discover in a chain of significant length, for > > a significant set of purposes. > > So do you think that there's a necessary difference in trustworthiness > between the certs that you "discover" when you take your computer out of > the box, or download the latest browser, and those that you would discover > via some lookup mechanism? Even if the certs discovered via that > mechanism were associated with policies based on explicit agreements > and terms of use between your organization and the various issuers? no, I think there's likely to be a difference in the trustworthiness of a short chain of certs involving a small number of other parties vs. that of a long chain of certs involving a larger number of other parties. and if the cert discovery mechanism can incorporate personal and/or site policy, that's great - as long as it knows which policy to use under which circumstances. in general I think the longer the cert chain, the narrower the applicability. Keith