On Thu Dec 2 17:16:06 2010, Kim Alvefur wrote:
On Thu, 2010-12-02 at 17:06 +0000, Dave Cridland wrote:
> (FWIW, I wondered for some time about clients generating a CSR and
> having servers actually be PKIX CAs, but that equally gains
nothing,
> except adding lots more exciting-looking X.509).
>
> Of course, if the certificate is signed by a trusted party (ie, a
> real CA), then everything changes - the server cannot advertise a
> false certificate any longer, so the situation is entirely
different.
This is where it would have been useful for the PKIX CA structure
to be
more like DNS, so you could sign certs for your own users and
subdomains
etc.
Of course, you could do that with DNSSEC and CERT records.
Or you could do it with a mad CA which authenticated you as the owner
of a domain, and then granted you an ICA certificate with name
constraints for the domain.
Quite excitingly mad, actually - I'm almost tempted.
Dave.
--
Dave Cridland - mailto:d...@cridland.net - xmpp:d...@dave.cridland.net
- acap://acap.dave.cridland.net/byowner/user/dwd/bookmarks/
- http://dave.cridland.net/
Infotrope Polymer - ACAP, IMAP, ESMTP, and Lemonade