public key request
hozer at hozed.org
Tue May 24 11:49:16 PDT 2005
On Tue, May 24, 2005 at 11:34:22AM -0700, Brad Fitzpatrick wrote:
> On Tue, 24 May 2005, Troy Benjegerdes wrote:
> > I'll second the full x509 cert idea.
> > Having "real" x509 certs for all LJ users would be a real nice thing..
> > This would be a nice way to offer 'https://username.bloghost.com' as a
> > value-added service as well.
> Sorry, I'm not getting it yet. If you care, why don't you just run your
> identity server on SSL?
> Why reinvent HTTPS?
> You guys want a way for a higher authority (a root CA) to be able to sign
> your DSA public keys?
> Or am I really not getting it?
I think it's more of a flexibility and re-use of existing infrastructure
argument.. x509 certs are relatively well-understood and documented.
Just because it's an x509 cert doesn't mean it needs to be signed by any
root CA.. but it *could* be if someone wanted. Personally I'd rather
trust self-signed certs from people I know than some root CA.
I think the idea is using x509 certificates as the container for public
and private keys instead of re-inventing something else, which may
re-create security problems that have already been dealt with in x509
More information about the yadis