To:
David Conrad <david.conrad@nominum.com>
Cc:
"RL 'Bob' Morgan" <rlmorgan@WASHINGTON.EDU>, <openssl-users@openssl.org>, ietf <ietf@ietf.org>, <isdf@isoc.org>, Key Distribution <keydist@cafax.se>
From:
Eric Rescorla <ekr@rtfm.com>
Date:
12 Jun 2002 10:15:09 -0700
In-Reply-To:
David Conrad's message of "Wed, 12 Jun 2002 10:03:36 -0700"
Reply-to:
EKR <ekr@rtfm.com>
Sender:
owner-keydist@cafax.se
Subject:
Re: Global PKI on DNS?
David Conrad <david.conrad@nominum.com> writes:
> On 6/12/02 8:20 AM, "Eric Rescorla" <ekr@rtfm.com> wrote:
> >> But I can do
> >> this only if I can discover certs that *aren't* either in the set it hands
> >> me or in my local set, and TLS says nothing about how to do this.
> > Yes, because it's an edge case.
>
> Scalability as an edge case. Hmm.
Well, I see that you're as confused about what I said as Bob was.
If you have a singly-rooted cert hierarchy, then you always can
provide an explicit path to a known root. This scales extremely
well.
> > I think it's a little early to start
> > worrying about cross-certification.
>
> I think it is more than a bit late.
I guess we'll just have to differ here.
-Ekr
--
[Eric Rescorla ekr@rtfm.com]
http://www.rtfm.com/