In <19990318115056(_dot_)20840(_at_)main(_dot_)templetons(_dot_)com> Brad
Templeton <brad(_at_)templetons(_dot_)com> writes:
On Thu, Mar 18, 1999 at 01:37:54PM +0000, Charles Lindsey wrote:
But even then, we need to make it gateway proof if at all possible.
I don't see how to do this, for reasons including the ones I cited.
Why not read my draft, which explains how to do it.
It is wrong to expect there is only going to be one certificate space,
and that's what it would take to be 'gateway proof',
I expect no such thing. There may or may not be a single "certificate
space" (I am not sure that the concept is even a helpful one) for a given
application (such as Usenet Control messages).
No. My Draft carefully left it up to each 'application' as to how
certificates were distributed.
I don't see how that could work in any efficient manner. Can you describe
how?
It may be that I need an additional 'application' field in the Signed header.
The whole idea of certificates is you *don't* distribute them. You don't
fetch them from servers. USENET can't operate as I know it today
if you need to go off tor remote servers to process a message.
BULLSHIT! If someone invents a public key and never distributes it to
anyone else see it, what use is it?
The whole reason to use certificates is to avoid that. So that every
message, contains, within itself, the means to verify it using only one
of a small set of well known keys that everybody will have on hand or can
get immediately.
So, you admit that some keys must have been distributed somehow.
How much certificate material is contained in each message, and how much
is obtained from well-known servers (and doubtless cached locally) will
differ according to the application. In the Usenet case, I imagine most of
them would be distributed via newsgroups established for the purpose.
The problem is that you don't want people posting messages you can't
verify, and if you post a message, you want to be sure everybody can
verify it.
No. People who regard it as important will want to verify it.
If you let people post a message using keys and certificates
from the E-mail certificate world, you are in effect saying all USENET
sites have to understand E-mail certificates.
Why are you so concerned to stop people from doing things that you,
personally, don't like? Even supposing there were such a thing as "the
E-mail certificate world" (actually there will probably be several of them
:-( ) why should people on Usnet veryify them if them happen to turn up?
And right now the rest of the certificate world is gravitating to x.509 which
is really not suitable for USENET.
I think X.509 is dying.
--
Charles H. Lindsey ---------At Home, doing my own thing------------------------
Email: chl(_at_)clw(_dot_)cs(_dot_)man(_dot_)ac(_dot_)uk Web:
http://www.cs.man.ac.uk/~chl
Voice/Fax: +44 161 437 4506 Snail: 5 Clerewood Ave, CHEADLE, SK8 3JU, U.K.
PGP: 2C15F1A9 Fingerprint: 73 6D C2 51 93 A0 01 E7 65 E8 64 7E 14 A4 AB A5