Dirk-Willem van Gulik
Mon, 17 Mar 2008 09:36:05 -0700
On Mar 16, 2008, at 7:52 PM, Ben Laurie wrote:
Dirk-Willem van Gulik wrote:So I'd argue that while x509, its CA's and its CRL's are a serious pain to deal** with, and seem add little value if you assume avery diligent and experienced operational team -- they do provide a useful 'procedural' framework and workflow-guide which is in itself very valuable, relatively robust and are a little bit organisationally "inherently fail-safe". The latter as you are forced to think about expiry of the assertions, what to do when a CRL is too old and so on.I think there's a large gulf between the use case where the relying party and the CA are the same entity, and where they do not even have a contractual arrangement.
I think you are hitting a key point here. In a way - a CA (or some sub- CA) is less of an authority and more of a, ideally, somewhat consistent organizational realm.
CAs within a corporate environment may well be a good idea in some cases, indeed. As you know, we've been pushing on this idea at the Apache Software Foundation for some time now, hindered only by our laziness :-)
And at the same time we need to learn to, or be weaned away from, the hardened shell perimeter ideas, that of a single super reliable root - and start to see a CA as something like one of the Kerberos KDC's we trust, just a NIS+ server we like, etc.
Dw --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]