[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Index for ftp site csn.org:/mpj/
> I can't speak for RIPEM, but that's not accurate for PEM. You can have
> as long a chain of signatures as you want up to the certifying authority.
> That may not be as general as you'd like, but it's better than just a
> single authority.
I think we have a lack of communication here. What I said is
completely true about PEM, as well as RIPEM. You cannot have more
than one signature on your certificate. I did not mention signature
chains in my message at all, only signatures.
For example, in PEM, you have the root key sign some certificate, and
that certificate signs another, and so on down the chain to a user
certificate. However, in PEM I cannot sign your certificate! *THAT*
is what I'm talking about. PEM certificates can have one, and *ONLY*
one, signature on them.
I'm not saying that I think the PEM CA model is bad -- there are good
points to it. I just feel it is too restrictive. I like being able
to have anyone sign anybody's key in PGP, and building certification
in that manner. The fact that in PEM you have a lot of hoops to jump
through in order to become a CA will, IMHO, be its downfall. Right
now anyone can become a PGP Certification Authority.
-derek