[117427] in cryptography@c2.net mail archive

home help back first fref pref prev next nref lref last post

Re: [mm] delegating SSL certificates

daemon@ATHENA.MIT.EDU (Ben Laurie)
Sun Mar 16 19:22:14 2008

Date: Sun, 16 Mar 2008 18:52:06 +0000
From: Ben Laurie <ben@links.org>
To: Dirk-Willem van Gulik <dirkx@webweaving.org>
CC: Cryptography <cryptography@metzdowd.com>
In-Reply-To: <02120D26-545E-4C38-B8CA-AA01D34E471D@webweaving.org>

Dirk-Willem van Gulik wrote:
> So I'd argue that while x509, its CA's and its CRL's are a serious pain 
> to deal** with, and seem add little value if you assume avery diligent 
> and experienced operational team -- they do provide a useful 
> 'procedural' framework and workflow-guide which is in itself very 
> valuable, relatively robust and are a little bit organisationally 
> "inherently fail-safe". The latter as you are forced to think about 
> expiry of the assertions, what to do when a CRL is too old and so on.

I think there's a large gulf between the use case where the relying 
party and the CA are the same entity, and where they do not even have a 
contractual arrangement.

CAs within a corporate environment may well be a good idea in some 
cases, indeed. As you know, we've been pushing on this idea at the 
Apache Software Foundation for some time now, hindered only by our 
laziness :-)

-- 
http://www.apache-ssl.org/ben.html           http://www.links.org/

"There is no limit to what a man can do or how far he can go if he
doesn't mind who gets the credit." - Robert Woodruff

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com

home help back first fref pref prev next nref lref last post