[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: comments on client auth


content-type: text/plain; charset=us-ascii

    It may also be that they felt that the mere possibility of
    securing machines against tampering with root keys solved the
    problem of being sure that it was so.  As an implementor I have
    wrestled long with this problem.

I'm convinced that the only robust solution to the public-key
management problem involves smartcard-type technology.

Given limited storage trusted storage space on the smartcard, this
argues for a "you are your own root" model, with certificates for any
third-party "roots" stored externally to the card.

    > I think that we should be clear to distinguish between two
    > different interpretations of chained namespaces. IN SDSI I can
    > create a name using a path - "RSA.com's Verisign.com" I think
    > that this is impractical since it fragments the namespace
    > preventing any equality tests is RSA.com's verisign.com the same
    > as openmarket's ?

    I don't think I follow here - isn't the idea to resolve the names
    by following the references to their sources, thus making
    comparison possible?

I'm not sure I follow this either, but at some level, if you really
want to see if two naming paths lead to the same principal, you just
need to find the public keys at the end of the paths and compare
*them* for equality.  

It's not at all clear to me *why* you would want to do this...

						- Bill

Version: 2.6.2