Ian Grigg wrote: > Jill Ramonsky wrote: > > (3) MULTIPLY SIGNED CERTIFICATES ..snip.. > I don't believe it is possible to multiply-sign > x.509 certs. This is one of the reasons that > PKIs based on x.509 have a miserable record, as > the absence of any web of trust support and the > promoting of a hierarchical trust model goes > against most business and individual practices. ..snip.. > But, what's the point to the question? I'm > not quite sure how this relates to the essential > question of implementing TLS?
I suspect the reason for wanting multiply signed certs in a simple TLS implementation is that the primary targets for such a library are P2P applications. Most encrypted P2P apps use roll-your-own link encryption, probably in an insecure manner. They'd certainly benefit from a secure protocol like TLS, using self-signed certs SSH-style for node identification where appropriate. They would also probably benefit from a PGP-style web of trust. If it's not possible to implement this using x.509 certs, perhaps the effort would be better spent deriving a protocol variant that meets those needs. --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
