Michal Kleczek wrote:
On Tuesday 12 of October 2010 16:28:54 Sim IJskes - QCG wrote:
On 10/12/2010 04:25 PM, Michal Kleczek wrote:
On Tuesday 12 of October 2010 16:13:14 Sim IJskes - QCG wrote:
On 10/12/2010 04:10 PM, Michal Kleczek wrote:
On Tuesday 12 of October 2010 16:04:41 Sim IJskes - QCG wrote:
On 10/12/2010 03:39 PM, Michal Kleczek wrote:
Or your code is signed with PGP - but I don't have a PGP verifier
installed. Is it possible for you to provide me with third party PGP
verifier code that in turn is signed with a standard X509
certificate?
Why PGP? The PKI is the same. The CA's signing domain related
certificates are creating the inflexibility.
Exactly... Hierarchical CAs are inflexible - that's why PGP (or SPKI)
:)
Strange reasoning. I'm my own CA. Whats the problem?
Your CA certificate is self-signed. How can I trust it?
Exactly. PKI is delegation of trust. If you dont trust the CA (or dont
want to pay the CA to trust you), it ends here.
PKI is no replacement of trust.
I know - but somehow we went far away from the original subject.
My point is - can our trust decisions be based on something more flexible than
it is right now in Jini?
Yes for sure, I believe this is possible.
As far as I understand you're saying "let's just base our trust decisions on
X509 certificates and nothing more". I say - "let's allow extending it - I base
my trust in you on X509 certificate but allow you to transfer my trust to
someone else and I don't care if it is based on X509 or smoke signals"
Michal
PGP's web of trust, you don't have to be self signed.
Bouncy Castle has a PGP provider, meaning we'd require it installed at
the client, after that, it's basically all the familiar java crypto
interfaces because it an SPI.
Imagining the DOS hole has been fixed for a moment, trust in this case
might be as simple as, I don't know you, but your key is signed by
someone I trust, so I can authenticate you and I grant you
DownloadPermission.
Cheers,
Peter.
