Simple SSL/TLS - Some Questions

Anonymous cripto at ecn.org
Tue Oct 7 19:22:27 EDT 2003


Ian Grigg wrote:
> Jill Ramonsky wrote:
> > (3) MULTIPLY SIGNED CERTIFICATES
..snip..
> I don't believe it is possible to multiply-sign
> x.509 certs.  This is one of the reasons that
> PKIs based on x.509 have a miserable record, as
> the absence of any web of trust support and the
> promoting of a hierarchical trust model goes
> against most business and individual practices.
..snip..
> But, what's the point to the question?  I'm
> not quite sure how this relates to the essential
> question of implementing TLS?

I suspect the reason for wanting multiply signed certs in a simple TLS implementation is that the primary targets for such a library are P2P applications.  Most encrypted P2P apps use roll-your-own link encryption, probably in an insecure manner.  They'd certainly benefit from a secure protocol like TLS, using self-signed certs SSH-style for node identification where appropriate.  They would also probably benefit from a PGP-style web of trust.  If it's not possible to implement this using x.509 certs, perhaps the effort would be better spent deriving a protocol variant that meets those needs.

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com



More information about the cryptography mailing list