On Thu, May 25, 2000 at 09:11:25AM +0200, Richard Levitte - VMS Whacker wrote:
[...]
> What you say is a nice thought, and I'd very much like to see
> something like that, but I see one problem with it, at least with the
> current definition of RFC2459 certificates (as I understand RFC2459.
> If I'm way wrong, please tell me): there can only be one signature for
> each certificate.
Sure, but a cert is just a block of data, and the block of data can be
signed.
> The consequence of this is that you can't really get a web of trust
> with RFC2459, you rather get a hierarchy of trust, which means that
> sooner (or later, but I don't really believe that), you will end up
> with some kind of institution at the top that everyone trusts. And I
> hardly see this kind of hierarchy ever becoming a system of _personal_
> trust that is the basis of the PGP web of trust.
Just kicking this around a bit more... To be more concrete, suppose I
wanted to start a CA - kentsCA. I put up a web page, describing
policies and procedures that must be followed before I will sign someone
elses cert, how I protect the keys, various policies, CRL handling, etc,
and advertise. My best friends use my CA, they like what they see, and
sign my CA cert, and upload it to this new hypothetical keyserver-like
service I am blue-skying. Pretty soon my CA cert has a thousand
endorsers, and some of them are well-known.
Imagine further that a browser has a plugin that queries the
keyserver-like service I am mentioning, and when you use a cert signed
by my CA it pops up a window that says
kentsCA has 1000 endorsers at the MIT CAcert-enhanced keyserver
service.
[] Accept CAcert
[] Reject CAcert
[] Show me more info about the endorsers
Of course, this scheme would work as a means of directly endorsing *any*
self-signed cert. It gives a "web of trust" that supports the identity
of the self-signer.
> In any case, there are already institutions that we (or at least,
> that's how it works in Sweden) give a certain amount of trust to hold
> the ultimate proof of our identity (in Sweden, it's the IRS, of all
> things). It would be quite natural for those to start handing out
> certificates. I think this has already started, or at least that the
> fuondation for such a thing are being layed out, but I'm sure there
> will be one or another trivia master who will correct me on this :-).
Identity certs are somewhat different from server certs, though.
Kent
--
Kent Crispin "Do good, and you'll be
[EMAIL PROTECTED] lonesome." -- Mark Twain
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
