[14574] in cryptography@c2.net mail archive
Re: Simple SSL/TLS - Some Questions
daemon@ATHENA.MIT.EDU (Anonymous)
Tue Oct 7 19:27:17 2003
X-Original-To: cryptography@metzdowd.com
X-Original-To: cryptography@metzdowd.com
From: Anonymous <cripto@ecn.org>
To: cryptography@metzdowd.com, iang@systemics.com
Date: Wed, 8 Oct 2003 01:22:27 +0200 (CEST)
Ian Grigg wrote:
> Jill Ramonsky wrote:
> > (3) MULTIPLY SIGNED CERTIFICATES
..snip..
> I don't believe it is possible to multiply-sign
> x.509 certs. This is one of the reasons that
> PKIs based on x.509 have a miserable record, as
> the absence of any web of trust support and the
> promoting of a hierarchical trust model goes
> against most business and individual practices.
..snip..
> But, what's the point to the question? I'm
> not quite sure how this relates to the essential
> question of implementing TLS?
I suspect the reason for wanting multiply signed certs in a simple TLS implementation is that the primary targets for such a library are P2P applications. Most encrypted P2P apps use roll-your-own link encryption, probably in an insecure manner. They'd certainly benefit from a secure protocol like TLS, using self-signed certs SSH-style for node identification where appropriate. They would also probably benefit from a PGP-style web of trust. If it's not possible to implement this using x.509 certs, perhaps the effort would be better spent deriving a protocol variant that meets those needs.
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
