On 8 Feb 2012, at 20:30 , Stephen Kent wrote:
> I think the real issue, which you ay have overlooked in my comments
> above, is the notion that the best candidate for a CA is an entity
> that is authoritative for the identity asserted in the cert.
I cannot agree more with you in that statement. And I don't think I overlooked
it. What made me reply was the point about federated identity ("having one org
trust another to assert and identity for a user known to the second, but not
the first") being "a recipe for security problems". My point was that a
certificate was precisely such an assertion, and I do agree with you in that
whichever entity making such assertion (X.509, SAML, JWT…) has to be
authoritative for the identity asserted if you want it to be usable.
> Based on you reply, I get the sense that you're focusing on CAs like the
> current set of browser TAs, all of which fail to meet the criteria I
> cited.
As well as many of the federation systems you and I are aware of, for sure. But
not all, and not because the concept behind them is flawed.
Be goode,
--
"Esta vez no fallaremos, Doctor Infierno"
Dr Diego R. Lopez
Telefonica I+D
http://people.tid.es/diego.lopez/
e-mail: di...@tid.es
Tel: +34 913 129 041
Mobile: +34 682 051 091
-----------------------------------------
Este mensaje se dirige exclusivamente a su destinatario. Puede consultar
nuestra política de envío y recepción de correo electrónico en el enlace
situado más abajo.
This message is intended exclusively for its addressee. We only send and
receive email on the basis of the terms set out at
http://www.tid.es/ES/PAGINAS/disclaimer.aspx
_______________________________________________
therightkey mailing list
therightkey@ietf.org
https://www.ietf.org/mailman/listinfo/therightkey
