-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 8/23/13 8:26 PM, Evgeniy Khramtsov wrote: > On 24.08.2013 03:21, Peter Saint-Andre wrote: >> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 >> >> On 8/23/13 1:55 AM, Evgeniy Khramtsov wrote: >>> >>> I admit I'm total noob in all that CA/PKIX/DNSSEC stuff as it >>> makes me sleepy as hell when I try to dive into it ;) What I'd >>> like to have is TLS-security without any CAs at all. If we can >>> do that with DANE/DNSSEC/ABCD, I'm in ;) >> I think we're all in -- or we *will* be when DANE/DNSSEC is >> widely deployed, which unfortunately won't happen for years >> (IMHO) because of all the dependencies on making it work. >> >> In the meantime, something like POSH can help: >> >> https://datatracker.ietf.org/doc/draft-miller-posh/ > > I read the I-D briefly. It seems like I still need CA-signed > certfile for the HTTPS-server holding the JWK: "... the HTTPS > retrieval mechanism relies on the chain of trust based on the > *public* *key* *infrastructure*".
Well, the certificate for your HTTPS service can be self-signed if you please (PKI doesn't mean CA-issued, it just means X.509 instead of something like PGP, bare keys, etc.). Peter - -- Peter Saint-Andre https://stpeter.im/ -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.19 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBAgAGBQJSGBtcAAoJEOoGpJErxa2pn3cP/1swv2ckAP6JiS+VfxBcgwY0 ICvv0DzfhSf1XcvOY+Mi79PWZt/kcoVBT8GSP8okkvB4c98KIFUsiAoVD/Mofcj8 bMrZQWhqUEGWYeOwn258KD7tYHKWicUYO3PP0p6QF1debuPEQ5YM/A0fX9rLS+9J mDoiSm//llqQQ8nOi0+iYiE48tthLL1qkfey0teKltIiBQxQ/yAGBia72HGWXZgv HAqhynobV1fmUcDzoMPNV2iNn1ZXFQPp1/gXWrOkX3XwO2yb7fDoP+usztNG3UaH DWTYxp+oRatQSfdTJ9Va7+J+iKpX9AHO9e5EC+vRnbDo+FfYAxQLCxVtwX8JeSrl 6Vhm8PtQHd6gS7FXxEceeOZJVc2PMAUobdhYlo7FD/q5OQtSNcZ80oMvxRZwlCJI GUqBxTDgBEXodIGg3RIWN8j6riA27R20Mehyq5UsfQHIfB1IZve7AniY60o3T+uq mNq/dL473kFuMys/kiNY+S5ELuM6mdjeqDmzyoLM3Lt4oJANd4kkMWx260WnR5ZJ we6CpDyHNcWfS2JwCZigLUtz8iiwKMxehpa6HjRv+YebUn5ybckVXAvBGRqS2uNv iRztDsGTyxEu2+6TU7dCdeZvPc+tqghmoLureWfObPu5FWFijZPUnL26DyQ/wRqa Zcd6mr/p8TYhBvE25jl1 =4uRv -----END PGP SIGNATURE-----
