[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Sip] comments on draft-kupwade-sip-iba-00

How can we verify a certificate from a random CA? It will definitely be a serious threat in the near future.
 
Self signed certificates are not very reliable either.
 
 A malicious KG is equivalent to a malicious CA. A malicious CA can also tag a public key to a different user and pose the same threat level.
 

Eric Rescorla <ekr at networkresonance.com> wrote:
 
At Wed, 27 Feb 2008 08:30:11 -0800 (PST),
Harsh Kupwade wrote:
> Forcing a signer to send a certificate is fine, but if the
> signer?s root CA is not same as the receiver?s root CAs, then
> the receiver has to go through a complex path construction process
> which is not a trivial problem.

Huh? The entire Web security system operates on the principle that you
can verify certificates from random CAs. This has not turned out to be
a serious problem in practice.
 


Moreover, *exactly* the same problem exists wrt the KG in identity-based
systems.

-Ekr

Be a better friend, newshound, and know-it-all with Yahoo! Mobile. Try it now.
_______________________________________________
Sip mailing list  https://www.ietf.org/mailman/listinfo/sip
This list is for NEW development of the core SIP Protocol
Use sip-implementors at cs.columbia.edu for questions on current sip
Use sipping at ietf.org for new developments on the application of sip