[86922] in North American Network Operators' Group
Re: BGP Security and PKI Hierarchies (was: Re: Wifi Security)
daemon@ATHENA.MIT.EDU (Steven M. Bellovin)
Tue Nov 22 15:32:54 2005
From: "Steven M. Bellovin" <smb@cs.columbia.edu>
To: Randy Bush <randy@psg.com>
Cc: Sandy Murphy <sandy@tislabs.com>, nanog@nanog.org
In-Reply-To: Your message of "Tue, 22 Nov 2005 10:25:10 -1000."
<17283.32422.105302.757816@roam.psg.com>
Date: Tue, 22 Nov 2005 15:32:22 -0500
Errors-To: owner-nanog@merit.edu
In message <17283.32422.105302.757816@roam.psg.com>, Randy Bush writes:
>
>> I believe a web of trust can be operationally feasible only if the web
>> is more like a forest - if there are several well known examples of
>> "tops" to the web. Otherwise, you have to be storing a plethora of
>> different signers' certificates to be able to validate all the
>> institution's certificates that come in.
>
>you need those certs to verify the live data anyway
>
Right. The real issue is the trust determination -- how do you know
that the certificate corresponds to something resembling reality
(whatever that is)?
--Steven M. Bellovin, http://www.cs.columbia.edu/~smb
