[145531] in cryptography@c2.net mail archive
Re: Five Theses on Security Protocols
daemon@ATHENA.MIT.EDU (Guus Sliepen)
Sat Jul 31 18:05:36 2010
Date: Sat, 31 Jul 2010 19:30:06 +0200
From: Guus Sliepen <guus@sliepen.org>
To: cryptography@metzdowd.com
Mail-Followup-To: Guus Sliepen <guus@sliepen.org>,
cryptography@metzdowd.com
In-Reply-To: <20100731123239.2efc2f51@jabberwock.cb.piermont.com>
--NncV4Eud7lVzK4Rv
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
On Sat, Jul 31, 2010 at 12:32:39PM -0400, Perry E. Metzger wrote:
> 1 If you can do an online check for the validity of a key, there is no
> need for a long-lived signed certificate, since you could simply ask
> a database in real time whether the holder of the key is authorized
> to perform some action. The signed certificate is completely
> superfluous.
>=20
> If you can't do an online check, you have no practical form of
> revocation, so a long-lived signed certificate is unacceptable
> anyway.
But, if you query an online database, how do you authenticate its answer? If
you use a key for that or SSL certificate, I see a chicken-and-egg problem.
--=20
Met vriendelijke groet / with kind regards,
Guus Sliepen <guus@sliepen.org>
--NncV4Eud7lVzK4Rv
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
iEYEARECAAYFAkxUXZ4ACgkQAxLow12M2ntGIwCfZe5OLJFn0NoUurR40Cwabgy3
10gAoIlhU49bwui1fwuTu12RNeL0oE2I
=FAen
-----END PGP SIGNATURE-----
--NncV4Eud7lVzK4Rv--
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
