Just wanted to observe that authentication woes are not unique to the
Internet and its collection of CAs. Authenticating things on a global
basis is hard.
There is a significant number of examples of bad decisions. I'd say
that proof of possession was not used as much in the non-Internet world.
Regards,
-sm
I'm puzzled by your last comment. In the PKI context, the phrase "proof
of possession"
(PoP) refers to a mechanism used to verify that a subject requesting a
cert possesses the
private key corresponding to the public key in the cert request.
When an entity receives a cert containing Subject name (or Subject alt name)
that is not appropriately associated with the entity, that is NOT a failure
of PoP. The entity presumably does possess the corresponding private key,
since it can't complete a TLS exchange without it.
Steve
_______________________________________________
perpass mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/perpass
