Five Theses on Security Protocols
Guus Sliepen
guus at sliepen.org
Sat Jul 31 13:30:06 EDT 2010
On Sat, Jul 31, 2010 at 12:32:39PM -0400, Perry E. Metzger wrote:
> 1 If you can do an online check for the validity of a key, there is no
> need for a long-lived signed certificate, since you could simply ask
> a database in real time whether the holder of the key is authorized
> to perform some action. The signed certificate is completely
> superfluous.
>
> If you can't do an online check, you have no practical form of
> revocation, so a long-lived signed certificate is unacceptable
> anyway.
But, if you query an online database, how do you authenticate its answer? If
you use a key for that or SSL certificate, I see a chicken-and-egg problem.
--
Met vriendelijke groet / with kind regards,
Guus Sliepen <guus at sliepen.org>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: Digital signature
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20100731/20d3f67c/attachment.pgp>
More information about the cryptography
mailing list