public key request

Brad Fitzpatrick brad at danga.com
Tue May 24 11:56:54 PDT 2005



On Tue, 24 May 2005, Troy Benjegerdes wrote:

> On Tue, May 24, 2005 at 11:34:22AM -0700, Brad Fitzpatrick wrote:
> > On Tue, 24 May 2005, Troy Benjegerdes wrote:
> >
> > > I'll second the full x509 cert idea.
> > >
> > > Having "real" x509 certs for all LJ users would be a real nice thing..
> > > This would be a nice way to offer 'https://username.bloghost.com' as a
> > > value-added service as well.
> >
> > Sorry, I'm not getting it yet.  If you care, why don't you just run your
> > identity server on SSL?
> >
> > Why reinvent HTTPS?
> >
> > You guys want a way for a higher authority (a root CA) to be able to sign
> > your DSA public keys?
> >
> > Or am I really not getting it?
>
> I think it's more of a flexibility and re-use of existing infrastructure
> argument.. x509 certs are relatively well-understood and documented.
> Just because it's an x509 cert doesn't mean it needs to be signed by any
> root CA.. but it *could* be if someone wanted. Personally I'd rather
> trust self-signed certs from people I know than some root CA.
>
> I think the idea is using x509 certificates as the container for public
> and private keys instead of re-inventing something else, which may
> re-create security problems that have already been dealt with in x509
> certs.

Hey, I didn't reinvent anything ... I just used the OpenSSL functions
to dump a public key and I assumed that was some sort of standard.


>
>


More information about the yadis mailing list