[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: editorial on Photuris
Charles Watt writes (in response to me):
> > Steve;
> >
> > I would suggest that X.509 certificates are also not widespread in the
> > "grand scheme of things" and require a horrifying X.500 infrastructure
> > for real world use -- an infrastructure that most people are unwilling
> > to deploy -- and require the use of distinguished names which, for
> > better or worse, are have proven unacceptable to the internet
> > community.
>
> The use of X.509 certificates in no way requires an X.500 infrastructure.
Nor does the use of bicycles require pneumatic tires, but they do make
the thing much more pleasant. If you can't look up things by DN the
situation becomes sticky fast.
> Nor does the use of DNs ever have to be presented at the user or
> application level.
No, but again, things get ugly if what one is binding isn't what the
user cares about.
I understand that many of you folks have an emotional commitment to
X.509, but I'll be blunt -- a good 60% of the IETF is totally opposed
to the stuff, and another 20% will use it only with the greatest
possible reluctance. You've probably spent most of your time with the
10% that are merely unhappy with the the thing and the 10% who
actually like them.
> But as I've previously stated, this argument is being made out of turn.
> Photuris can be completely specified to support user level keying without
> any mention of PGP, X.509 or any other mechanism for binding a "name" to
> a key.
I'd prefer to ignore the issue of whether or not that is possible and
get back to my original point -- I think we will need, at some point,
a certificate format. X.509 is unacceptable to the community. I'd like
to invite the "smart people" around these parts to start working
together to try to produce a good alternative.
Perry