Five Theses on Security Protocols

Guus Sliepen guus at sliepen.org
Sat Jul 31 13:30:06 EDT 2010


On Sat, Jul 31, 2010 at 12:32:39PM -0400, Perry E. Metzger wrote:

> 1 If you can do an online check for the validity of a key, there is no
>   need for a long-lived signed certificate, since you could simply ask
>   a database in real time whether the holder of the key is authorized
>   to perform some action. The signed certificate is completely
>   superfluous.
> 
>   If you can't do an online check, you have no practical form of
>   revocation, so a long-lived signed certificate is unacceptable
>   anyway.

But, if you query an online database, how do you authenticate its answer? If
you use a key for that or SSL certificate, I see a chicken-and-egg problem.

-- 
Met vriendelijke groet / with kind regards,
      Guus Sliepen <guus at sliepen.org>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: Digital signature
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20100731/20d3f67c/attachment.pgp>


More information about the cryptography mailing list