To:
openssl-users@openssl.org, jstracke@incentivesystems.com
Cc:
Franck@sopac.org, ietf@ietf.org, isdf@isoc.org, keydist@cafax.se, owner-ietf@ietf.org
From:
Richard Levitte - VMS Whacker <levitte@stacken.kth.se>
Date:
Thu, 13 Jun 2002 21:34:14 +0200 (CEST)
In-Reply-To:
<OF4A931F67.FFE1C8BB-ON85256BD7.004D98DC@incentivesystems.com>
Sender:
owner-keydist@cafax.se
Subject:
Re: Global PKI on DNS?
In message <OF4A931F67.FFE1C8BB-ON85256BD7.004D98DC@incentivesystems.com> on Thu, 13 Jun 2002 10:08:49 -0400, "John Stracke" <jstracke@incentivesystems.com> said:
jstracke> >The CERT extension to DNS allows to place there a URI, a
jstracke> >URI is smaller than a cert and stays in a udp packet.
jstracke>
jstracke> Bootstrap problem: how can you trust the results of the URI?
The same way I trust whatever certificate source I have; not at all.
But from a PKI point of view, that's beside the point, as long as you
can to path discovery and validation all the way between the
certificate I want to verify and a set of root certificates you trust.
So the bootstrap problem is the same regardless of your certificate
source: you need a set of trusted root certificates.
--
Richard Levitte \ Spannvägen 38, II \ LeViMS@stacken.kth.se
Redakteur@Stacken \ S-168 35 BROMMA \ T: +46-8-26 52 47
\ SWEDEN \ or +46-708-26 53 44
Procurator Odiosus Ex Infernis -- poei@bofh.se
Member of the OpenSSL development team: http://www.openssl.org/
Unsolicited commercial email is subject to an archival fee of $400.
See <http://www.stacken.kth.se/~levitte/mail/> for more info.