[cap-talk] A petname toolbar for Firefox
Ian G
iang at systemics.com
Mon Feb 21 10:50:14 EST 2005
Mark Miller wrote:
> Ian G wrote:
>
>> What David suggests - the server is its own authority, and
>> creates locally signed certs on its own merits - is how any
>> sensible design would lay things out. (Yes, that's what
>> my system does, how about E?)
>
>
> I wrote:
> > If I understand you correctly, the answer is, yes, E does this too.
>
> Ian G wrote:
>
>> This isn't going to happen in SSL's PKI, and the PKI
>> was probably designed not to let it happen (do we
>> need to show that to this audience?) ... so unless
>> someone knows a way to get the Apache boys to
>> re-engineer this part, that design is a theoretical
>> hope only.
>
>
> Perhaps I spoke prematurely. AFAIK, HTTPSY works within the existing
> TLS spec. E will be switching over to using TLS in exactly the same
> way that HTTPSY does.
OK, there is a big difference between TLS and the
PKI. The two need to be kept separately in mind
and in conversation, although it seems uncommon
rare to untangle.
A system may use one or the other without needing
to use both. In the above I refer to "SSL's PKI" as it
arose in it's original form ... e.g., as SSL and the PKI
arose for their common cause. Later on, there was
some degree of separation as some applications took
TLS the protocol, and others used the PKI with other
protocols.
Is there a document describing the security model
of this new system?
(Just as an aside, I think TLS to be a clumsy choice
if reliability is required. It is singularly a near worst
way to go for payments, for example.)
iang
--
News and views on what matters in finance+crypto:
http://financialcryptography.com/
More information about the cap-talk
mailing list