[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Types of object for trust anchors
-----BEGIN PGP SIGNED MESSAGE-----
>>>>> "Paul" == Paul Hoffman <paul.hoffman@xxxxxxxx> writes:
>> That seems more complicated (in code space) than just making
>> everyone use BER CMS to me...
Paul> BER CMS of *what*? A bare public key? A cert of a particular
Paul> format? What I'm thinking is a requirement for flexibility is
Paul> not the housing, but the contents.
>> I would say that it's either something like YAML + DNS
>> presentation format of bare keys, or CMS. Not both.
Paul> If you are saying "no certs allowed", then it makes the
Paul> solution unusable for IE, for Mac OSX, and for Firefox. That
Paul> feels kinda limiting to me.
I don't see your point.
Either new code is necessary, or it's not.
If it's not new code, then it has to be an existing format, which is
implemented already. If it it's new code, then it's new code.
>> I also think that some SPKI stuff needs to br brought up in the
>> BOF. Specifically, relating to section 3, paragraph 3.
Paul> I don't see why that is SPKI specific... It seems quite
Paul> relevant to PGP certs, and should be relevant to PKIX certs.
SPKI made some very clear statements about what it means to have trust
anchors, and how you can trust them. If you want to have trust anchors
for specific things, but not trust them for other thiings, then SPKI has
ways to express that, or at least, has some (english) language for
] Bear: "Me, I'm just the shape of a bear." | firewalls [
] Michael Richardson, Xelerance Corporation, Ottawa, ON |net architect[
] mcr@xxxxxxxxxxxxx http://www.sandelman.ottawa.on.ca/mcr/ |device driver[
] panic("Just another Debian GNU/Linux using, kernel hacking, security guy"); [
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Finger me for keys
-----END PGP SIGNATURE-----