On Tuesday 12 of October 2010 16:28:54 Sim IJskes - QCG wrote: > On 10/12/2010 04:25 PM, Michal Kleczek wrote: > > On Tuesday 12 of October 2010 16:13:14 Sim IJskes - QCG wrote: > >> On 10/12/2010 04:10 PM, Michal Kleczek wrote: > >>> On Tuesday 12 of October 2010 16:04:41 Sim IJskes - QCG wrote: > >>>> On 10/12/2010 03:39 PM, Michal Kleczek wrote: > >>>>> Or your code is signed with PGP - but I don't have a PGP verifier > >>>>> installed. Is it possible for you to provide me with third party PGP > >>>>> verifier code that in turn is signed with a standard X509 > >>>>> certificate? > >>>> > >>>> Why PGP? The PKI is the same. The CA's signing domain related > >>>> certificates are creating the inflexibility. > >>> > >>> Exactly... Hierarchical CAs are inflexible - that's why PGP (or SPKI) > >>> :) > >> > >> Strange reasoning. I'm my own CA. Whats the problem? > > > > Your CA certificate is self-signed. How can I trust it? > > Exactly. PKI is delegation of trust. If you dont trust the CA (or dont > want to pay the CA to trust you), it ends here. > > PKI is no replacement of trust. >
I know - but somehow we went far away from the original subject. My point is - can our trust decisions be based on something more flexible than it is right now in Jini? As far as I understand you're saying "let's just base our trust decisions on X509 certificates and nothing more". I say - "let's allow extending it - I base my trust in you on X509 certificate but allow you to transfer my trust to someone else and I don't care if it is based on X509 or smoke signals" Michal
