About RIPE | Contact  | Search | Sitemap    
Homepage RIPE  
RIPE Community Mail Archives
search  
     
Next Sectionyou are here: RIPE -> RIPE Maillists > Archives
RIPE Navigation Ends
About RIPE Maillists
Maillists Archive
Global Lists
Non Active Lists
RIPE NCC Navigation Ends
Next Section
<<< Chronological >>> Author Index    Subject Index <<< Threads >>>

Re: [db-wg] Re: [ncc-services-wg] X.509 authentication in the RIPE Database

  • To: Randy Bush < >
  • From: Patrik Fältström < >
  • Date: Wed, 16 Jul 2003 16:37:51 +0200
On onsdag, jul 16, 2003, at 16:28 Europe/Stockholm, Randy Bush wrote:


so i am supposed to install the RIRs' certs in my browser as root
CAs and ignore the big hole for attack this opens?  i already
*remove* a bunch of root CAs when i bring up a new browser.  this
is the new internet.  get paranoid.

let the RIRs spend a few of the bucks they have getting their certs
signed by a well-trusted root CA.
It all depends on who you trust.

If I personally am to communicate with someone, I want to have that other party give me via in-real-life-communication his fingerprint for his PGP key (and vice versa). Then we have the trust relationship needed. I can further in all PGP implementations I have seen say "I do _NOT_ trust this other party as one which introduces others (I trust him, but not keys he sign). I have not seen you can do that with X.509/SSL.

This which Randy point out is very important, as with X.509 you always need a third party. There are good reason why the RIR should get their cert from a "real" CA, but then both the RIR and the customer need to trust this third party. Do we trust the third party more than the RIR?

paf



  • Post To The List:
<<< Chronological >>> Author    Subject <<< Threads >>>
 

Next Section
     About RIPE | Site Map | LIR Portal | About the RIPE NCC | Contact | Copyright Statement
RIPE.NET Homepage LIR Portal RIPE Community