IETF Logo Mail Archive

Re: Re (subtopic): LDAP certificate distribution

Vadim Fedukovich <vf@unity.net> Mon, 18 August 2003 12:14 UTC

Received: from above.proper.com (above.proper.com [208.184.76.39]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id IAA17317 for <smime-archive@lists.ietf.org>; Mon, 18 Aug 2003 08:14:11 -0400 (EDT)
Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h7IBZHqt001946 for <ietf-smime-bks@above.proper.com>; Mon, 18 Aug 2003 04:35:17 -0700 (PDT) (envelope-from owner-ietf-smime@mail.imc.org)
Received: (from majordom@localhost) by above.proper.com (8.12.9/8.12.9/Submit) id h7IBZHen001945 for ietf-smime-bks; Mon, 18 Aug 2003 04:35:17 -0700 (PDT)
X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-smime@mail.imc.org using -f
Received: from main.giknpc.com.ua (backup.adm.dp.ua [212.86.233.14]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h7IBZ3qt001851 for <ietf-smime@imc.org>; Mon, 18 Aug 2003 04:35:13 -0700 (PDT) (envelope-from vf@main.giknpc.com.ua)
Received: (from vf@localhost) by main.giknpc.com.ua (8.11.6/8.11.6) id h7IBYnE25205 for ietf-smime@imc.org; Mon, 18 Aug 2003 14:34:49 +0300
Date: Mon, 18 Aug 2003 14:34:49 +0300
From: Vadim Fedukovich <vf@unity.net>
To: ietf-smime@imc.org
Subject: Re: Re (subtopic): LDAP certificate distribution
Message-ID: <20030818113449.GD17168@unity.net>
References: <3F3C4C43.6010205@netscape.com> <3F3AF421.6060008@netscape.com> <2A1D4C86842EE14CA9BC80474919782E01112FFC@mou1wnexm02.verisign.com> <001301c360ef$41128990$0500a8c0@arport> <EXECMAIL.20030814103028.E@kepler.messagingdirect.com> <EXECMAIL.20030815103011.B1437@kepler.esys.ca>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <EXECMAIL.20030815103011.B1437@kepler.esys.ca>
User-Agent: Mutt/1.4.1i
Sender: owner-ietf-smime@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-smime/mail-archive/>
List-ID: <ietf-smime.imc.org>
List-Unsubscribe: <mailto:ietf-smime-request@imc.org?body=unsubscribe>

On Fri, Aug 15, 2003 at 10:30:11AM -0700, Steve Hole wrote:
> 
> On Thu, 14 Aug 2003 19:58:11 -0700 Julien Pierre <jpierre@netscape.com> 
> wrote:
> 
> > Why ?
> 
> Because you have to run a root.  That is, the hierarchy has to have a top 
> level interconnect.

really?

I believe RSA works fine both for subject name matching issuer name
and for any other subject name. One could put trust directly in some
CA certificate (say, a corporation-wide one) and it could be root,
self-signed or otherwise. Fine-tuned client software is the point

>   This quickly becomes an issue of governance.   
> National goverments get involved the way they got involved in DNS.   The 
> difference is that the governments got involved *before* the service was 
> running, not after the way they did with DNS.

One can easily sign with DSS/DSA using widely distributed quorum system,
maybe Shamir secret-sharing one. No single one would own
the signing key and it could be generated in shares right from the start

regards,
Vadim

v2.43.4 | Report a Bug | By Email | System Status