[117398] in cryptography@c2.net mail archive

home help back first fref pref prev next nref lref last post

Re: delegating SSL certificates

daemon@ATHENA.MIT.EDU (Peter Gutmann)
Sun Mar 16 10:29:49 2008

From: pgut001@cs.auckland.ac.nz (Peter Gutmann)
To: cryptography@metzdowd.com,
	travis+ml-cryptography@subspacefield.org
In-Reply-To: <20080225220143.GC8561@subspacefield.org>
Date: Sun, 16 Mar 2008 23:26:07 +1300

travis+ml-cryptography@subspacefield.org writes:

>I would think this would be rather common, and I may have heard about certs
>that had authority to sign other certs in some circumstances...

The desire to do it isn't uncommon, but it runs into problems with PKI
religious dogma that only a CA can ever issue a certificate.  For example I
proposed this on the PKIX working group nearly a decade ago, specifically the
ability for end entities with signing certs to issue their own encryption
certs, since there's absolutely no need to involve a CA in this.  I've still
got the draft online at
http://www.cs.auckland.ac.nz/~pgut001/pubs/autonomous.txt.  The WG chair's
response was "we don't want to turn X.509 into PGP", and that was the end of
it.  The grid computing folks eventually got something through in the form of
proxy certificates for the Globus GSI, but that probably isn't what you're
looking for.

Peter.

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com

home help back first fref pref prev next nref lref last post