On Mon, Apr 06, 2009 at 11:56:15PM -0700, Kyle Hamilton wrote:
> Third, the
> entire point of X.509 is to allow for clients to have all the
> information they need to verify certificates in the absence of an
> online authority.
This said, it is now widely understood that this particular "entire point"
of X.509 is its most severe design error. Thus X.509 drifts gradually back
towards a Kerberos-like model, but the design is still fatally flawed
until key certificate issuance move into the hands of the subject's
organization, rather than a 3rd party CA (that model does not scale).
Of course secure distributed key management on an Internet-wide scale has
never been done before, and may never work, but if it does the first step
is probably a trusted DNS in which one can publish signing keys. This is
all some time away, and in the mean-time we (still don't) have X.509 PKI.
--
Viktor.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [email protected]
Automated List Manager [email protected]
