On 09/18/2014 08:57 AM, David R Oran wrote:
On Sep 18, 2014, at 11:46 AM, Rene Struik <rstruik....@gmail.com> wrote:
It seems that the cryptographic literature needs to be rewritten now ...
==
Anything you can do with a cert, you can do with raw public keys, and you don't
need CA's. See RFC4871 for an example.
I would have thought it was the opposite:
anything you can do with raw keys you can do with certificates.
Raw keys cannot prove an assertion that a certain claimed name is bound to a
certain key. In the case of self-signed certs you only get the advantages of
having a data structure and code that is understood and well vetted, but with
either a PKI or a web of trust you do get benefits from using Certs. You also
get usage policy restrictions, which cannot be expressed with raw keys.
Raw keys in and of themselves provide provable identifiers of the public
key: the fingerprint itself. It remains
to be seen whether some other identity needs to be bound to it, and, of
course, certs are hardly the only way
to do that.
Self-signed certs bring only confusion, IMO: they are nothing more than
a raw key with an unsubstantiated claim to
another name, along with a whole lot more ASN.1 baggage beyond what is
needed to parse the modulo
and exponent.
And you don't get usage or policy restrictions without a CA that the
*HOMENET* trusts to assert them, nor can
that sort of policy assertion be done with device certs since I don't
have any reason to believe fly-by-night's
routers should be allowed to do whatever it is they claim they want to do.
Mike
_______________________________________________
homenet mailing list
homenet@ietf.org
https://www.ietf.org/mailman/listinfo/homenet
