Re: editorial on Photuris

[Stephen Kent <kent@BBN.COM>]

Perry,

        You are right that X.509 also is not widespread in its deployment,
in "the grand scheme of things," even though there are several million
users in X.500 directories (on a worldwide basis).  However, your comment
about the "horrifying infrastructure" associated with X.509 seems ill
founded.  Perhaps you are referring to the certification hierarchy defined
in RFC 1422, but that model is not equivalent to X.509.  The use of X.500
DSAs to store certificates also is not strictly required to use X.509
certificates, any directory scheme will suffice.  This is a requirement for
any certificate scheme, at least to the extent that one needs to acquire
certificates and CRLs by a means other than real time exchange.  However,
for IP security, realtime exchange might be adequate, unlike in email
contexts.  The one point I will concede from your criticism is that X.509
certificates do require the use of DNs as the base naming model, even
though version 3 certificates also accommodate other name forms, e.g., DNS
names.

        Yes, we could define an Internet certificate, but do we need to?
My suggestion, seconding Charlie's, was to not make Photuris dependent on a
specific certificate format, but to accommodate multiple formats.  I still
think that's a useful idea.

Steve

---

• Prev by Date: Re: editorial on Photuris
• Next by Date: Re: editorial on Photuris
• Prev by thread: Re: editorial on Photuris
• Next by thread: Re: editorial on Photuris
• Index(es):
  • Main
  • Thread