1994-01-31 - Re: Index for ftp site csn.org:/mpj/

Header Data

From: Derek Atkins <warlord@MIT.EDU>
To: smb@research.att.com
Message Hash: f1b99a34651c5539a1ed0b74436ffbebb9332a5f261438ec8196329e680c397b
Message ID: <9401312121.AA08215@toxicwaste.media.mit.edu>
Reply To: <9401311900.AA27644@MIT.EDU>
UTC Datetime: 1994-01-31 21:23:10 UTC
Raw Date: Mon, 31 Jan 94 13:23:10 PST

Raw message

From: Derek Atkins <warlord@MIT.EDU>
Date: Mon, 31 Jan 94 13:23:10 PST
To: smb@research.att.com
Subject: Re: Index for ftp site csn.org:/mpj/
In-Reply-To: <9401311900.AA27644@MIT.EDU>
Message-ID: <9401312121.AA08215@toxicwaste.media.mit.edu>
MIME-Version: 1.0
Content-Type: text/plain


> I can't speak for RIPEM, but that's not accurate for PEM.  You can have
> as long a chain of signatures as you want up to the certifying authority.
> That may not be as general as you'd like, but it's better than just a
> single authority.

I think we have a lack of communication here.  What I said is
completely true about PEM, as well as RIPEM.  You cannot have more
than one signature on your certificate.  I did not mention signature
chains in my message at all, only signatures.

For example, in PEM, you have the root key sign some certificate, and
that certificate signs another, and so on down the chain to a user
certificate.  However, in PEM I cannot sign your certificate!  *THAT*
is what I'm talking about.  PEM certificates can have one, and *ONLY*
one, signature on them.

I'm not saying that I think the PEM CA model is bad -- there are good
points to it.  I just feel it is too restrictive.  I like being able
to have anyone sign anybody's key in PGP, and building certification
in that manner.  The fact that in PEM you have a lot of hoops to jump
through in order to become a CA will, IMHO, be its downfall.  Right
now anyone can become a PGP Certification Authority.

-derek





Thread