[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: propagation control



At 10:57 PM -0700 4/20/97, Carl Ellison wrote:
>If we don't allow such propagation control, the issuer can still
>do what he wants -- only it might take some more careful group
>definitions.
>
>- ---------
>
>So, my take is not to allow (propagate <group-name>), on the
>theory that this would apply only to a very small set of cases
>and the issuer in those cases could do other things.

Without physical or strong administrative control of the user's system
(e.g. the situation on the Internet) the user can easily overcome a
no-propagate cert.  For details see my previous rants on the subject.  It
is a poor practice to provide a "security" feature that can't be enforced.
It lets people feel they are safe when they are not.


-------------------------------------------------------------------------
Bill Frantz       | God could make the world   | Periwinkle -- Consulting
(408)356-8506     | in six days because he did | 16345 Englewood Ave.
frantz@netcom.com | not have an installed base.| Los Gatos, CA 95032, USA



References: