At 01:57 AM 7/2/2003 +0200, Markus Stumpf wrote:
On Tue, Jul 01, 2003 at 10:54:46PM +0100, Danny Angus wrote:
> We can look outside the domain of mail to find workable examples of trust,
> PGP and SSL both make provision for the inclusion of out-of-channel trust
> verification. I suppose in this situation it is whom you choose to inherit
> trust from, and ultimately your trusted root trust providers.
[..]
There is no such thing as established working "trust" mechanisms in the
Internet of today (IMHO!!) They all fail miserably as early as because of
non existant working revocation spreading mechanisms. If I get a CERT
from Verisign for 2 years and they revoke it after one year, who do you
think will notice that? With their security breach some months ago
antivirus producers added the falsly issued certs to their antigenes
so that the end user has at least a very little chance to notice abuse.
What about a central CA issuing certificates to other CAs, controlled by
IANA or ICANN-type of organization? There are mechanisms in place to check
verifications of certificates in real-time, and that can be implemented as
well.
Yakov
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg