[db-wg] Re: [ncc-services-wg] X.509 authentication in the RIPE Database
- Previous message (by thread): [db-wg] Re: [ncc-services-wg] X.509 authentication in the RIPE Database
- Next message (by thread): [db-wg] Re: [ncc-services-wg] X.509 authentication in the RIPE Database
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Patrik Fältström
paf at cisco.com
Wed Jul 16 16:37:51 CEST 2003
On onsdag, jul 16, 2003, at 16:28 Europe/Stockholm, Randy Bush wrote:
> so i am supposed to install the RIRs' certs in my browser as root
> CAs and ignore the big hole for attack this opens? i already
> *remove* a bunch of root CAs when i bring up a new browser. this
> is the new internet. get paranoid.
>
> let the RIRs spend a few of the bucks they have getting their certs
> signed by a well-trusted root CA.
It all depends on who you trust.
If I personally am to communicate with someone, I want to have that
other party give me via in-real-life-communication his fingerprint for
his PGP key (and vice versa). Then we have the trust relationship
needed. I can further in all PGP implementations I have seen say "I do
_NOT_ trust this other party as one which introduces others (I trust
him, but not keys he sign). I have not seen you can do that with
X.509/SSL.
This which Randy point out is very important, as with X.509 you always
need a third party. There are good reason why the RIR should get their
cert from a "real" CA, but then both the RIR and the customer need to
trust this third party. Do we trust the third party more than the RIR?
paf
- Previous message (by thread): [db-wg] Re: [ncc-services-wg] X.509 authentication in the RIPE Database
- Next message (by thread): [db-wg] Re: [ncc-services-wg] X.509 authentication in the RIPE Database
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
[ db-wg Archives ]