[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: editorial on Photuris

To: perry@piermont.com
Subject: Re: editorial on Photuris
From: Charles Watt <watt@sware.com>
Date: Wed, 15 Nov 1995 12:25:23 -0500 (EST)
Cc: watt@sware.com, ipsec@ans.net
In-Reply-To: <199511151615.LAA08150@jekyll.piermont.com> from "Perry E. Metzger" at Nov 15, 95 11:15:19 am
Sender: Charles Watt <watt@sware.com>

-----BEGIN PRIVACY-ENHANCED MESSAGE-----
Proc-Type: 4,MIC-CLEAR
Content-Domain: RFC822
Originator-Certificate:
 MIIBvzCCAWkCEFmOln6ip0w49CuyWr9vDVUwDQYJKoZIhvcNAQECBQAwWTELMAkG
 A1UEBhMCVVMxGDAWBgNVBAoTD1NlY3VyZVdhcmUgSW5jLjEXMBUGA1UECxMOU2Vj
 dXJlV2FyZSBQQ0ExFzAVBgNVBAsTDkVuZ2luZWVyaW5nIENBMB4XDTk1MDUwODIw
 MjMzNVoXDTk3MDUwNzIwMjMzNVowcDELMAkGA1UEBhMCVVMxGDAWBgNVBAoTD1Nl
 Y3VyZVdhcmUgSW5jLjEXMBUGA1UECxMOU2VjdXJlV2FyZSBQQ0ExFzAVBgNVBAsT
 DkVuZ2luZWVyaW5nIENBMRUwEwYDVQQDEwxDaGFybGVzIFdhdHQwWTAKBgRVCAEB
 AgICBANLADBIAkEM2ZSp7b6eqDqK5RbPFpd6DGSLjbpHOZU07pUcdgJXiduj9Ytf
 1rsmf/adaplQr+X5FeoIdT/bVSv2MUi3gY0eFwIDAQABMA0GCSqGSIb3DQEBAgUA
 A0EApEjzeBjiSnGImJXgeY1K8HWSufpJ2DpLBF7DYqqIVAX9H7gmfOJhfeGEYVjK
 aTxjgASxqHhzkx7PkOnL4JrN+Q==
MIC-Info: RSA-MD5,RSA,
 DIZJ+gls3W4AmocMnqiFawculyJHcfrMSDPszIWsv8tUlX3V4vDGPPi2Bok5fMqD
 dvyTM6rFgNudVZ3V2pbAKIo=

> > 	- if we clutter the DNS with all the additional information
> > 	  required to support a fully developed, distributed, secure
> > 	  infrastructure, it will look remarkably like an X.500
> > 	  Directory Service.
> 
> I'm afraid that we already have a proposal for embedding certificates
> in the DNS that doesn't make it look like X.500. Don't assume everyone
> is as incapable of producing a clean and simple solution as the ISO.

I'm not making this particular assumption.  My assumption is that you
are short sighted -- slam in certificates and our security problems
are solved.  Well, I would like this infrastructure to be useful for
more than IP security, say for Electronic Commerce.  This means that
you need LOTS more stuff, like the CA's policy statement, a pointer to
the CA's real-time electronic notary, the authorizations granted to me
by my employer for EDI transactions, etc...  DNS bloat == X.500.

As these issues have no relevance to Photuris, the Photuris spec should
be independent of the mechanism binding name and key.  This frees you and
your "smart people" to go off and design your new public key infrastructure.
Please spend some time researching the larger requirements for such an
infrastructure first.  You might also touch base with the pkix working
group, they seem to think that this infrastructure is their charter.

Charles Watt
SecureWare
-----END PRIVACY-ENHANCED MESSAGE-----

Prev by Date: Re: editorial on Photuris
Next by Date: Re: editorial on Photuris
Prev by thread: Re: editorial on Photuris
Next by thread: Re: editorial on Photuris
Index(es):
- Main
- Thread