[mm] delegating SSL certificates
Ben Laurie
ben at links.org
Sun Mar 16 14:52:06 EDT 2008
Dirk-Willem van Gulik wrote:
> So I'd argue that while x509, its CA's and its CRL's are a serious pain
> to deal** with, and seem add little value if you assume avery diligent
> and experienced operational team -- they do provide a useful
> 'procedural' framework and workflow-guide which is in itself very
> valuable, relatively robust and are a little bit organisationally
> "inherently fail-safe". The latter as you are forced to think about
> expiry of the assertions, what to do when a CRL is too old and so on.
I think there's a large gulf between the use case where the relying
party and the CA are the same entity, and where they do not even have a
contractual arrangement.
CAs within a corporate environment may well be a good idea in some
cases, indeed. As you know, we've been pushing on this idea at the
Apache Software Foundation for some time now, hindered only by our
laziness :-)
--
http://www.apache-ssl.org/ben.html http://www.links.org/
"There is no limit to what a man can do or how far he can go if he
doesn't mind who gets the credit." - Robert Woodruff
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list