Re: IPsec near term work

[Derek Atkins <warlord@MIT.EDU>]

> Our implementation does not match PGP's web of trust completely.  I'm
> not sure I understand all of the implications of a web of trust.  But
> the general thrust of our work here is to attempt to deal with a
> larger range of models for precisely the same reasons you have in
> mind.

I've been trying to come to grips with this myself, Steve.  I've sat
down with a number of people and tried to explain how this works, each
time beginning to understand it better myself.  One of the major
differences with the web is that a certificate can have any number of
signatures on it, and also it means that *ANYONE* can become a
certification authority.

Since trust is not automatically transitive without setting individual
trust parameters, it has, without any changes, become a cryptographic
equivalent of TIS/PEM.  However, if I understand TIS/PEM properly,
when you trust a certificate, you don't sign it yourself -- rather,
you just stick a bit in the database that says you trust it.  (Please
correct me, possibly in private email, if I am wrong here -- I haven't
looked at the code myself).

However, since you can have multiple signatures, this means that you
can be signed by any number of "CA"'s, each of which may or may not
trust one another, and it puts a cryptographic mark on the certificate
to show to yourself and others that this trust exists.

I realize that these aren't *all* the implications -- I'm sure that
even Phil Zimmermann doesn't understand *all* the implications -- but
I hope I've shed some light it a little.

-derek

---

Follow-Ups:

• Re: IPsec near term work
• From: Stephen D Crocker <crocker@tis.com>

References:

• Re: IPsec near term work
• From: Stephen D Crocker <crocker@tis.com>

---

• Prev by Date: Re: IPsec near term work
• Next by Date: Re: IPsec near term work
• Prev by thread: Re: IPsec near term work
• Next by thread: Re: IPsec near term work
• Index(es):
  • Main
  • Thread