Ken Hornstein <[EMAIL PROTECTED]> writes: > In theory you don't need to encrypt the CA certificate, but you should > verify it's integrity somehow. This is one of the places where PKI > tends to cheat; it works great in the usual case where web browsers have > a standard list of CAs that they accept.
For values of great equal to "trusting a bunch of commercial CAs proven to be willing to hand out signed certificates to random people with only a minimum of identification." I definitely would not trust, say, Verisign to do identity management properly. They're more interested in making money. > While I agree it removes the need to share a _secret_, they still need > to have some sort of trust relationship that should in theory involve > some out-of-band initialization. At the end of the day, I don't see > this fundamentally easier than the initialization that Kerberos does. Agreed. -- Russ Allbery ([EMAIL PROTECTED]) <http://www.eyrie.org/~eagle/> _______________________________________________ OpenAFS-info mailing list [email protected] https://lists.openafs.org/mailman/listinfo/openafs-info
