IETF Logo Mail Archive

Re: [therightkey] Basically, it's about keeping the CAs honest

Paul Lambert <paul@marvell.com> Wed, 15 February 2012 20:30 UTC

Return-Path: <paul@marvell.com>
X-Original-To: therightkey@ietfa.amsl.com
Delivered-To: therightkey@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0747921F85A0 for <therightkey@ietfa.amsl.com>; Wed, 15 Feb 2012 12:30:50 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.421
X-Spam-Level:
X-Spam-Status: No, score=-6.421 tagged_above=-999 required=5 tests=[AWL=0.178, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ciGQ7DMcr4nY for <therightkey@ietfa.amsl.com>; Wed, 15 Feb 2012 12:30:49 -0800 (PST)
Received: from na3sys009aog106.obsmtp.com (na3sys009aob106.obsmtp.com [74.125.149.76]) by ietfa.amsl.com (Postfix) with ESMTP id 33DBF21F858F for <therightkey@ietf.org>; Wed, 15 Feb 2012 12:30:49 -0800 (PST)
Received: from SC-OWA01.marvell.com ([65.219.4.129]) (using TLSv1) by na3sys009aob106.postini.com ([74.125.148.12]) with SMTP ID DSNKTzwV7CO+yt/faxCqfqGhm+FGoePIzVTg@postini.com; Wed, 15 Feb 2012 12:30:49 PST
Received: from SC-vEXCH2.marvell.com ([10.93.76.134]) by SC-OWA01.marvell.com ([10.93.76.21]) with mapi; Wed, 15 Feb 2012 12:28:09 -0800
From: Paul Lambert <paul@marvell.com>
To: Carl Wallace <carl@redhoundsoftware.com>
Date: Wed, 15 Feb 2012 12:28:09 -0800
Thread-Topic: [therightkey] Basically, it's about keeping the CAs honest
Thread-Index: AczrkCHb2Au+AhPsQHGhika2vUpaTQAgRx8g
Message-ID: <7BAC95F5A7E67643AAFB2C31BEE662D01579DA1693@SC-VEXCH2.marvell.com>
References: <7BAC95F5A7E67643AAFB2C31BEE662D01579DA14D8@SC-VEXCH2.marvell.com> <CB608CB1.12EE2%carl@redhoundsoftware.com>
In-Reply-To: <CB608CB1.12EE2%carl@redhoundsoftware.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Cc: "therightkey@ietf.org" <therightkey@ietf.org>
Subject: Re: [therightkey] Basically, it's about keeping the CAs honest
X-BeenThere: therightkey@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: <therightkey.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/therightkey>, <mailto:therightkey-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/therightkey>
List-Post: <mailto:therightkey@ietf.org>
List-Help: <mailto:therightkey-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/therightkey>, <mailto:therightkey-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 15 Feb 2012 20:30:50 -0000

>>If I could do this - then the random root cert that I accept for
>>your signature could be locally constrained to be just for you or
>>a small domain range (e.g. an enterprise)
>
>Yep.  There are specs that enable this (RFCs 5914 and 5937) but they are
>not in wide use.

Thanks. Appreciate the pointers.  Providing an explicit limitation of trust
is an important design requirement.  A well thought out design, but the
complexity may be limiting adoption.  Then again - the complexity
is a function of the core 509 framework ... if trust expressions
were easier to express would there be better adoption and more
trustworthy implementations?

Paul

v2.23.0 | Report a Bug | By Email