On 01/27/2012 04:02 PM, Kyle Hamilton wrote: > Why is everything so single-point-of-failure in the Security working > area? Does it really have to be?
You seem to be suggesting that we should be considering redundant,
corroborative certification techniques to ensure that the key offered by
the peer really does belong to the peer.
I agree that any solution which actually improves on the status quo will
have to include this sort of approach.
I don't think that it follows from this that you'd need to encourage
people to use multiple keys per entity, though.
The best argument i've seen for using multiple keys is the material
Chris Palmer (i think) wrote about how to deploy public key pinning,
where having a (presumably offline) backup key per managed entity gives
you some flexibility if you discover a compromise of pinned key material
that's currently in use.
Anyway, i agree with you that the question we're hoping our tools can
ask and answer is "is this key (offered by this peer) a legitimate key
for the entity we think the peer is?", not "...*the* legitimate key..."
Note that there are some contexts (e.g. sending an e-mail) where the
peer doesn't have a chance to present you with a key for you to
evaluate. in those contexts, your tools will actually need to select a
single key from the various (hopefully redundant, corroborative)
discovery mechanisms available to them. So in those contexts, "the" is
a legitimate article to use.
--dkg
signature.asc
Description: OpenPGP digital signature
_______________________________________________ therightkey mailing list [email protected] https://www.ietf.org/mailman/listinfo/therightkey
