On Tue, Apr 23, 2013 at 4:37 PM, Dave Cridland <d...@cridland.net> wrote: > There are signing/encryption proposals based around X.509, too. In the XMPP > world, I'm tempted to suggest hammering >
Hammering? What do you mean? > In the PKIX model, the key used for signing belongs to a CA, which can be > protected better against compromise than a key used for signing and > encryption (and authentication), such as a client or server key, so > revocation of entire CA certificates is rare, and typically makes headline > news. > That's the issue: it always come to relying to a (possibly) commercial third party to do the job. It contrasts with the concept of "community-driven" server network. In my mind, every server in the network has its own CA, otherwise it won't be "community-driven". Anyway, I don't think a third party CA would sign certificate requests "blindly" (that is, given by a server when it's registering a new account for a new user). > Well, if you want to have the certificate provision based around an in-band, > or client-driven, registration protocol, then I think you need a method for > having the certificate (or PGP key) signed. It seems reasonable to want to > standardize this. > Sure, that would be great. -- Daniele