public key request

Troy Benjegerdes hozer at hozed.org
Tue May 24 11:49:16 PDT 2005


On Tue, May 24, 2005 at 11:34:22AM -0700, Brad Fitzpatrick wrote:
> On Tue, 24 May 2005, Troy Benjegerdes wrote:
> 
> > I'll second the full x509 cert idea.
> >
> > Having "real" x509 certs for all LJ users would be a real nice thing..
> > This would be a nice way to offer 'https://username.bloghost.com' as a
> > value-added service as well.
> 
> Sorry, I'm not getting it yet.  If you care, why don't you just run your
> identity server on SSL?
> 
> Why reinvent HTTPS?
> 
> You guys want a way for a higher authority (a root CA) to be able to sign
> your DSA public keys?
> 
> Or am I really not getting it?

I think it's more of a flexibility and re-use of existing infrastructure
argument.. x509 certs are relatively well-understood and documented.
Just because it's an x509 cert doesn't mean it needs to be signed by any
root CA.. but it *could* be if someone wanted. Personally I'd rather
trust self-signed certs from people I know than some root CA.

I think the idea is using x509 certificates as the container for public
and private keys instead of re-inventing something else, which may
re-create security problems that have already been dealt with in x509
certs.


More information about the yadis mailing list