Re: Sovereing Keys

I stopped listening after 5m as he dud not correctly analyse the problem he will now fix.

In essence he said that the 509 cipher suites enable any ca to assert about any namespace.

This is not true. What is true is that the policy authorities charged with setting policy did no requires ca to mint Certs that uses the extensions for namespace  scoping. And whether all browsers/servers enforce the harder extensions is not clear. 

Of course the mechanism in the standard to effect the policy he whines about (due to poor policy management) did not get a mention - early on. Presumably it was all wrong or inherently untrustworthy ("because").

The better browsers all have the capability latent - since it's used in military PKi system, using the same browser plugged with crypto modules that enforce the more rigorous key distribution controls.

In the million message threads on pem-dev@tis.com (where v1 things happened before pkix) it was known as the name subordination issue (the subj dn had to be prefixed by the issuer dn). 

For kingsleys benefit (only): the issuer dn derived from the issuer name was the prefix. This is typically a subset of the name Ava's, once one figures which are distinguished.

The us/NSA didn't like this, as it tied the authority model to the directory (since only it could state which Ava's were distinguished). They needed offline evaluation (and here was the directory agent in the middle of the proof system).
 
This started a long rot, wherein the subject name became a bag of stuff. Then came the web, and loved bags of stuff type engineering (as it takes no effort).then it hits a wall, and folks say how crap it all is inherently....

Sent from my iPhone

On Jan 8, 2012, at 3:44 PM, "Henry Story" <henry.story@bblfish.net> wrote:

> An interesting proposal by the EFF to build a secure naming systems based on signature histories in the same way that bitcoin functions I think. 
> 
>    http://www.youtube.com/watch?feature=player_embedded&v=18pFTo3zVxk
> 
> Henry
> 
> Social Web Architect
> http://bblfish.net/
> 
> 

Received on Monday, 9 January 2012 00:19:23 UTC