A cert by itself is more or less a wrapper but that¹s not the way PKI works (certs by themselves) - you have certs and trust anchors the anchors being the method by verifying the identity of the person presenting the cert you can do proof of possession as well to very the identity supplicant knows the private key.
Randy From: Michael Thomas <[email protected]> Date: Thursday, September 18, 2014 at 3:06 PM To: David R Oran <[email protected]>, Rene Struik <[email protected]> Cc: <[email protected]>, Markus Stenberg <[email protected]> Subject: Re: [homenet] HNCP security? On 9/18/14, 8:57 AM, David R Oran wrote: > > On Sep 18, 2014, at 11:46 AM, Rene Struik <[email protected]> > <mailto:[email protected]> wrote: > > >> >> It seems that the cryptographic literature needs to be rewritten now ... >> >> == >> Anything you can do with a cert, you can do with raw public keys, and you >> don't need CA's. See RFC4871 for an example. >> > > I would have thought it was the opposite: > anything you can do with raw keys you can do with certificates. > FWIW, this is also true even though the rest wasn't. You can always strip the x509 coating and use the raw keys, yes. Which begs the question of why use the coating if it's not doing anything useful, which is pretty much the situation with self-signed certs. To paraphrase: 'Some people, when confronted with a security problem, think "I know, I'll use certificates." Now they have two problems.' Mike _______________________________________________ homenet mailing list [email protected] https://www.ietf.org/mailman/listinfo/homenet
_______________________________________________ homenet mailing list [email protected] https://www.ietf.org/mailman/listinfo/homenet
