[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Auth]a couple of questions and suggestions

From: David Sugar
Subject: Re: [Auth]a couple of questions and suggestions
Date: Fri, 13 Jul 2001 09:19:53 -0400
User-agent: Mozilla/5.0 (X11; U; Linux 2.2.16-9mdk i686; en-US; m18) Gecko/20001013

In certificate authorities, I recall that root certificates for each authority must be distributed before certificates issued by that authority can be used. This could present a problem and a means to control and limit what indipendent authorities exist. Imagine, for example, if MS stuff like IE makes it even harder to load new CA root certificates other than those originally issued with their IE base distribution, and wipes out any add on ones every time you "upgrade". Also, the CA must then issue the individual certificates for everything that is used and deployed, rather than users individually, as is the case with gpg.

On the other hand, it is true the CA system that exists today does work, even if it's still clumsy and somewhat hard to setup, openssh certificate tools are getting better. A "CA" package that makes it easy for anyone anywhere to configure and operate a CA would be nice in of itself. Should it be the basis for DotGNU authentication? I do not know, but would like to see more discussion on this.


Anders Lindback wrote:

Norbert Sendetzky skrev:

A few people already made suggest how to handle authorisation/authentication. But they all mentioned some kind of a central repository. I think it would be nice if auth can be handled through a "web of trust" like in PGP, which we could use. This approach has serveral advantages:

- Anybody can create one or more identities
- If the identity should be accepted by a online shop he can go to a trust center and let them sign his identity (e.g PGP key) after proofing his identity.
- PGP (OpenPGP) is also widely used at the moment and is an accepted standard

Other opinions?

Why not base authentication using a standard CA that is
used to identicate users within the https protocol.
That way it will work with basicalkly any webbrowser and
it will also be based on an existing and widely used standard.

There already exists project who are working to make it possible so
basically anyone to start a CA exists.

One don't need a central CA it is possible to define this using
a large number of independent CAs which are handled by a web of trusts.

Why re-invent the wheel ?

Auth mailing list

reply via email to

[Prev in Thread] Current Thread [Next in Thread]