Assume, contra facto, that in some future iteration of PKI, it
works, and works very well.
What the heck does it look like?
At a guess Anybody can create a key (or key pair). They
get one clearly marked private, which they're supposed to keep,
and one clearly marked public, which
Apparently the DNS root key is protected by what sounds like a five-of-seven
threshold scheme, but the description is a bit unclear. Does anyone know
more?
(Oh, and for people who want to quibble over practically-deployed, I'm not
aware of any real usage of threshold schemes for anything, at
On Fri, 30 Jul 2010 19:40:49 -0700 Ray Dillinger b...@sonic.net
wrote:
Assume, contra facto, that in some future iteration of PKI, it
works, and works very well.
What the heck does it look like?
At a guess Anybody can create a key (or key pair). They
get one clearly marked private,
Hi Henrique --
This is to answer the excellent questions you asked at
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=587665#81
Since that bug is now closed (as it should be), and since these
questions are only tangentially related to that bug anyway, I am
emailing you directly. Feel free
Inspired by recent discussion, these are my theses, which I hereby
nail upon the virtual church door:
1 If you can do an online check for the validity of a key, there is no
need for a long-lived signed certificate, since you could simply ask
a database in real time whether the holder of the
At 07:16 AM 7/28/2010, Ben Laurie wrote:
SSH does appear to have got away without revocation, though the nature
of the system is s.t. if I really wanted to revoke I could almost
always contact the users and tell them in person. This doesn't scale
very well to SSL-style systems.
Unfortunately,
corollary to security proportional to risk is parameterized risk management
... where variety of technologies with varying integrity levels can co-exist within the same
infrastructure/framework. transactions exceeding particularly technology risk/integrity threshold
may still be approved given
Nice theses. I'm looking forward to the other 94. The first one is a
nice summary of why DKIM might succeed in e-mail security where S/MIME
failed. (Succeed as in, people actually use it.)
2 A third party attestation, e.g. any certificate issued by any modern
CA, is worth exactly as much as
Perry E. Metzger pe...@piermont.com writes:
Inspired by recent discussion, these are my theses, which I hereby nail upon
the virtual church door:
Are we allowed to play peanut gallery for this?
1 If you can do an online check for the validity of a key, there is no
need for a long-lived signed
On 31 jul 2010, at 08.44, Peter Gutmann wrote:
Apparently the DNS root key is protected by what sounds like a five-of-seven
threshold scheme, but the description is a bit unclear. Does anyone know
more?
The DNS root key is stored in HSMs. The key backups (maintained by ICANN) are
encrypted
Usability engineering requires empathy. Isn't it interesting that nerds
built themselves a system, SSH, that mostly adheres to Perry's theses? We
nerds have empathy for ourselves. But when it comes to a system for other
people, we suddenly lose all empathy and design a system that ignores
Perry's
11 matches
Mail list logo
