[18586] in cryptography@c2.net mail archive
Re: continuity of identity
daemon@ATHENA.MIT.EDU (Adam Shostack)
Thu Sep 29 17:51:24 2005
X-Original-To: cryptography@metzdowd.com
X-Original-To: cryptography@metzdowd.com
Date: Thu, 29 Sep 2005 17:06:24 -0400
From: Adam Shostack <adam@homeport.org>
To: cryptography@metzdowd.com
In-Reply-To: <4339A616.9040803@av8n.com>
On a somewhat related note, the other day, I was working on a shell
script to automate Mac access to Google's Secure Access system.
Now, as I did this, I was able to get curl to respect a single CA as
the only CA it should accept, but I was totally unable to get any form
of certificate persistance. Is there a way to do this, or am I forced
to invoke openssl and parse its output?
Adam
On Tue, Sep 27, 2005 at 04:05:42PM -0400, John Denker wrote:
| Jerrold Leichter mentioned that:
|
| > a self-
| >signed cert is better than no cert at all: At least it can be used in an
| >SSH-like "continuity of identity" scheme.
|
| I agree there is considerable merit to a "continuity of identity"
| scheme.
|
| But there are ways the idea can be improved. So let's discuss it.
|
| For starters, let me suggest that rather than having a self-signed
| certificate of the type created more-or-less automatically when
| you set up your Apache server or set up your SSH daemon, it makes
| more sense to set up your own CA and issue your own certs from
| there. In some sense this is just a different type of self-signing,
| but it adds a possibly useful layer of indirection.
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
