Nicholas Bachmann wrote:
1. It's a chain of trust: it's hard for Bob to verify Alice's signature directly
-Not impossible to fix
CAcert.org's whole purpose is cheap, easily obtainable security... It employs a web of trust in the website frame work to build up and distribute face to face identification checks...
A web of trust is different from the chain of trust I'm talking about. In a web of trust, a key is signed by lots of different people; ideally, everybody can trust everybody. In a chain of trust, each member only knows and trusts the adjacent members.
2. A central registry must be created that's free and open for providers to use but secure enough to verify members.
Again CAcert.org fulfils this criteria...
Sort of... CAcert.org is a Certificate Authority. A CA just signs public keys, while a key server stores a copy of them. What I'm talking about is more like http://pgp.mit.edu/.
-Think about the global IP address distribution agencies 3. Phones must get private keys securely.
Last one is as much a technical issue as a people issue, although PIX firewalls implement (forget the acronym) where they send a request to a CA and the CA sends back a certificate, I keep meaning to implement it for CAcert but I lack a PIX for dev & testing...
But we're not looking at certificates; we're looking at public/private keypairs. Phones can generated the keypairs, but how does the phone prove to the key server that it is an authorized phone? With just a simple password?
Nick
_______________________________________________ Asterisk-Users mailing list [EMAIL PROTECTED] http://lists.digium.com/mailman/listinfo/asterisk-users To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
