[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Types of object for trust anchors

Hash: SHA1

>>>>> "Paul" == Paul Hoffman <paul.hoffman@xxxxxxxx> writes:
    >> That seems more complicated (in code space) than just making
    >> everyone use BER CMS to me...

    Paul> BER CMS of *what*? A bare public key? A cert of a particular
    Paul> format? What I'm thinking is a requirement for flexibility is
    Paul> not the housing, but the contents.

    >> I would say that it's either something like YAML + DNS
    >> presentation format of bare keys, or CMS. Not both.

    Paul> If you are saying "no certs allowed", then it makes the
    Paul> solution unusable for IE, for Mac OSX, and for Firefox. That
    Paul> feels kinda limiting to me.

  I don't see your point.
  Either new code is necessary, or it's not.
  If it's not new code, then it has to be an existing format, which is
implemented already.  If it it's new code, then it's new code.

    >> I also think that some SPKI stuff needs to br brought up in the
    >> BOF.  Specifically, relating to section 3, paragraph 3.

    Paul> I don't see why that is SPKI specific... It seems quite
    Paul> relevant to PGP certs, and should be relevant to PKIX certs.

  SPKI made some very clear statements about what it means to have trust
anchors, and how you can trust them. If you want to have trust anchors
for specific things, but not trust them for other thiings, then SPKI has
ways to express that, or at least, has some (english) language for
explaining that. 

- -- 
]            Bear: "Me, I'm just the shape of a bear."          |  firewalls  [
]   Michael Richardson,    Xelerance Corporation, Ottawa, ON    |net architect[
] mcr@xxxxxxxxxxxxx      http://www.sandelman.ottawa.on.ca/mcr/ |device driver[
] panic("Just another Debian GNU/Linux using, kernel hacking, security guy"); [

Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Finger me for keys