On Fri, Sep 23, 2011 at 8:21 PM, ianG <[email protected]> wrote: > On 24/09/11 05:13 AM, Jon Callas wrote: >> >> On Sep 23, 2011, at 11:17 AM, Ben Laurie wrote: >> >>> On Thu, Sep 22, 2011 at 4:46 PM, Peter Gutmann >>> <[email protected]> wrote: >>>> >>>> Ben Laurie<[email protected]> writes: >>>> >>>>> Well, don't tease. How? >>>> >>>> The link I've posted before (but didn't want to keep spamming to the >>>> list): >>>> >>>> http://www.cs.auckland.ac.nz/~pgut001/pubs/pki_risk.pdf >>> >>> That was a fun read and I mostly agree, but it raises some questions... >>> >>> a) Key continuity is nice, but ... are you swapping one set of >>> problems for another? What happens when I lose my key? How do I roll >>> my key? I just added a second server with a different key, and now a >>> bunch of users have the "wrong" key - what do I do? How do I deal with >>> a compromised key? >> >> Great rhetorical questions, Ben. You nail it. >> >> Continuity is great, but it has its own set of problems that include all >> the ones you mention. Rolling keys is the easiest one of them and can be >> solved pretty much the same way. But all the others are problems that >> continuity introduces. I brought up these issues in my long rant. Continuity >> can solve some, but not all of the problems. > > Think of it as CA-signed+key-continuity. Not either/or, but both, > integrated, melded.
I'm thinking of it, and I don't get it. The answer to all these questions seems to be "enroll with a CA". How did that help? _______________________________________________ cryptography mailing list [email protected] http://lists.randombit.net/mailman/listinfo/cryptography
