[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: PKIX Profile for IKE - CA Certificates & IKE Identification Certificates

To: kunzinge@us.ibm.com
Subject: Re: PKIX Profile for IKE - CA Certificates & IKE Identification Certificates
From: Markku Savela <msa@anise.tte.vtt.fi>
Date: Tue, 26 Oct 1999 10:30:46 +0300 (EET DST)
CC: ipsec@lists.tislabs.com
In-reply-to: <85256815.007933EA.00@d54mta05.raleigh.ibm.com> (kunzinge@us.ibm.com)
Reply-to: msa@hemuli.tte.vtt.fi (Markku Savela)
Sender: owner-ipsec@lists.tislabs.com

Maybe somewhat offtopic, but... here gose: I have a problem
understaning the certificate path. Say, peer sends

    CA-0 -> CA-x -> CA-y -> CA-z(identity)

We trust CA-0, we have a path from CA-z to CA-0, but so what? Unless
we trust CA-y, CA-z and 'identify' could be anything at all.

CA-y could be any of the millions of entities that have a valid signed
certificate on rooting on CA-0.

To me it seems that the path is only usable, if we already trust all
intermediates. But then, what do we need the path for? [Just to find
the culprits after the damage has occurred?]

I must be missing some point...

-- 
Markku Savela (msa@hemuli.tte.vtt.fi), Technical Research Centre of Finland
Multimedia Systems, P.O.Box 1203,FIN-02044 VTT,http://www.vtt.fi/tte/staff/msa/

References:

PKIX Profile for IKE - CA Certificates & IKE Identification Certificates

From: kunzinge@us.ibm.com

Prev by Date: AH as a Transport protocol
Next by Date: Re: Comments on CRACK
Prev by thread: Re: PKIX Profile for IKE - CA Certificates & IKE Identification Certificates
Next by thread: CRLs
Index(es):
- Main
- Thread