[db-wg] Re: [ncc-services-wg] X.509 authentication in the RIPE Database
- Previous message (by thread): [db-wg] Re: [ncc-services-wg] X.509 authentication in the RIPE Database
- Next message (by thread): [db-wg] Re: [ncc-services-wg] X.509 authentication in the RIPE Database
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Patrik Fältström
paf at cisco.com
Wed Jul 16 16:37:51 CEST 2003
On onsdag, jul 16, 2003, at 16:28 Europe/Stockholm, Randy Bush wrote: > so i am supposed to install the RIRs' certs in my browser as root > CAs and ignore the big hole for attack this opens? i already > *remove* a bunch of root CAs when i bring up a new browser. this > is the new internet. get paranoid. > > let the RIRs spend a few of the bucks they have getting their certs > signed by a well-trusted root CA. It all depends on who you trust. If I personally am to communicate with someone, I want to have that other party give me via in-real-life-communication his fingerprint for his PGP key (and vice versa). Then we have the trust relationship needed. I can further in all PGP implementations I have seen say "I do _NOT_ trust this other party as one which introduces others (I trust him, but not keys he sign). I have not seen you can do that with X.509/SSL. This which Randy point out is very important, as with X.509 you always need a third party. There are good reason why the RIR should get their cert from a "real" CA, but then both the RIR and the customer need to trust this third party. Do we trust the third party more than the RIR? paf
- Previous message (by thread): [db-wg] Re: [ncc-services-wg] X.509 authentication in the RIPE Database
- Next message (by thread): [db-wg] Re: [ncc-services-wg] X.509 authentication in the RIPE Database
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
[ db-wg Archives ]