This archive is retained to ensure existing URLs remain functional. It will not contain any emails sent to this mailing list after July 1, 2024. For all messages, including those sent before and after this date, please visit the new location of the archive at https://mailman.ripe.net/archives/list/db-wg@ripe.net/
[db-wg] Re: [ncc-services-wg] X.509 authentication in the RIPE Database
- Previous message (by thread): [db-wg] Re: [ncc-services-wg] X.509 authentication in the RIPE Database
- Next message (by thread): [db-wg] Re: [ncc-services-wg] X.509 authentication in the RIPE Database
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Patrik Fältström
paf at cisco.com
Wed Jul 16 16:37:51 CEST 2003
On onsdag, jul 16, 2003, at 16:28 Europe/Stockholm, Randy Bush wrote: > so i am supposed to install the RIRs' certs in my browser as root > CAs and ignore the big hole for attack this opens? i already > *remove* a bunch of root CAs when i bring up a new browser. this > is the new internet. get paranoid. > > let the RIRs spend a few of the bucks they have getting their certs > signed by a well-trusted root CA. It all depends on who you trust. If I personally am to communicate with someone, I want to have that other party give me via in-real-life-communication his fingerprint for his PGP key (and vice versa). Then we have the trust relationship needed. I can further in all PGP implementations I have seen say "I do _NOT_ trust this other party as one which introduces others (I trust him, but not keys he sign). I have not seen you can do that with X.509/SSL. This which Randy point out is very important, as with X.509 you always need a third party. There are good reason why the RIR should get their cert from a "real" CA, but then both the RIR and the customer need to trust this third party. Do we trust the third party more than the RIR? paf
- Previous message (by thread): [db-wg] Re: [ncc-services-wg] X.509 authentication in the RIPE Database
- Next message (by thread): [db-wg] Re: [ncc-services-wg] X.509 authentication in the RIPE Database
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
[ db-wg Archives ]