Simple SSL/TLS - Some Questions
Anonymous
cripto at ecn.org
Tue Oct 7 19:22:27 EDT 2003
Ian Grigg wrote:
> Jill Ramonsky wrote:
> > (3) MULTIPLY SIGNED CERTIFICATES
..snip..
> I don't believe it is possible to multiply-sign
> x.509 certs. This is one of the reasons that
> PKIs based on x.509 have a miserable record, as
> the absence of any web of trust support and the
> promoting of a hierarchical trust model goes
> against most business and individual practices.
..snip..
> But, what's the point to the question? I'm
> not quite sure how this relates to the essential
> question of implementing TLS?
I suspect the reason for wanting multiply signed certs in a simple TLS implementation is that the primary targets for such a library are P2P applications. Most encrypted P2P apps use roll-your-own link encryption, probably in an insecure manner. They'd certainly benefit from a secure protocol like TLS, using self-signed certs SSH-style for node identification where appropriate. They would also probably benefit from a PGP-style web of trust. If it's not possible to implement this using x.509 certs, perhaps the effort would be better spent deriving a protocol variant that meets those needs.
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list