# BLU Discuss list archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

# [Discuss] Why the dislike of X.509?

*Subject*: [Discuss] Why the dislike of X.509?*From*: markw at mohawksoft.com (markw at mohawksoft.com)*Date*: Tue, 26 Aug 2014 13:37:13 -0400*In-reply-to*: <53FCC142.9050805@gmail.com>*References*: <53F9F6B9.4060505@stephenadler.com> <20140824161132.GE14848@randomstring.org> <be314521ab6bebb6add54d706b042f01.squirrel@mail.mohawksoft.com> <53FA1C3B.70908@gmail.com> <53FB19E5.4080602@aeminium.org> <53FB4A5D.2030305@gmail.com> <CA+h9Qs5GnC6d1ejBQC=crtHwxoDiFWo4Kn+xjt0eiA8Kr733_A@mail.gmail.com> <53FB70E6.50706@gmail.com> <CA+h9Qs5THPNEir7tLZNjzLWMpod=9UGWTSCeZS2nCwVY0Ox=-w@mail.gmail.com> <53FB7F0A.40105@gmail.com> <253113e101a6fc1b75e160dfbd3d0dbe.squirrel@mail.mohawksoft.com> <53FB9325.9010200@gmail.com> <a7c1366d330261e2ee4906c8d08d0b94.squirrel@mail.mohawksoft.com> <53FB9E7A.5030808@gmail.com> <946844bdd8420720147712d216f1c037.squirrel@mail.mohawksoft.com> <53FCA1DD.60604@gmail.com> <b1c57a406ed7a4dd35ca5dd248dffb1f.squirrel@mail.mohawksoft.com> <53FCC142.9050805@gmail.com>

> On 8/26/2014 1:01 PM, markw at mohawksoft.com wrote: >> There is no such thing as a security system that has "one" entity, well, >> perhaps a stone or a brick. There is *always* at least one mechanism >> that >> protects and one mechanism that provides access. > > An example is a code signing key. In a shared system, many agents > possess copies of this key. Each agent is an entity. Each of these > entities is a single point of compromise. This is basically a strawman argument because while it could be done this way, no one in their right minds would do it this way. That does not typify what a shared system would look like. > > In a distributed system, the code signing key is split and distributed > among several agents. Again, each agent is an entity. Since no one > entity has the entire key the compromise of one entity cannot compromise > the whole key and thus the whole system. But, the code signing is exactly the point. There is a "key" that signs the code and there is another key (cert or whatever) that verifies the code signing key. If multiple entities can sign the code with their own key, then clients must have copies of each cert to verify the signing key. Unless there is a 1:1 relationship between the signers and the signees (which would be pointless) any one of the clients must maintain all the key certs, in which case, any one system would compromise the whole. > > Does the explanation make sense? No, not really. > > -- > Rich P. > _______________________________________________ > Discuss mailing list > Discuss at blu.org > http://lists.blu.org/mailman/listinfo/discuss >

**Follow-Ups**:**[Discuss] Why the dislike of X.509?***From:*richard.pieri at gmail.com (Richard Pieri)

**References**:**[Discuss] vnc***From:*adler at stephenadler.com (Stephen Adler)

**[Discuss] vnc***From:*dsr at randomstring.org (Dan Ritter)

**[Discuss] vnc***From:*markw at mohawksoft.com (markw at mohawksoft.com)

**[Discuss] vnc***From:*richard.pieri at gmail.com (Richard Pieri)

**[Discuss] vnc***From:*nuno at aeminium.org (Nuno Sucena Almeida)

**[Discuss] Why the dislike of X.509?***From:*richard.pieri at gmail.com (Richard Pieri)

**[Discuss] Why the dislike of X.509?***From:*jabr at blu.org (John Abreau)

**[Discuss] Why the dislike of X.509?***From:*richard.pieri at gmail.com (Richard Pieri)

**[Discuss] Why the dislike of X.509?***From:*jabr at blu.org (John Abreau)

**[Discuss] Why the dislike of X.509?***From:*richard.pieri at gmail.com (Richard Pieri)

**[Discuss] Why the dislike of X.509?***From:*markw at mohawksoft.com (markw at mohawksoft.com)

**[Discuss] Why the dislike of X.509?***From:*richard.pieri at gmail.com (Richard Pieri)

**[Discuss] Why the dislike of X.509?***From:*markw at mohawksoft.com (markw at mohawksoft.com)

**[Discuss] Why the dislike of X.509?***From:*richard.pieri at gmail.com (Richard Pieri)

**[Discuss] Why the dislike of X.509?***From:*markw at mohawksoft.com (markw at mohawksoft.com)

**[Discuss] Why the dislike of X.509?***From:*richard.pieri at gmail.com (Richard Pieri)

**[Discuss] Why the dislike of X.509?***From:*markw at mohawksoft.com (markw at mohawksoft.com)

**[Discuss] Why the dislike of X.509?***From:*richard.pieri at gmail.com (Richard Pieri)

- Prev by Date:
**[Discuss] Why the dislike of X.509?** - Next by Date:
**[Discuss] Why the dislike of X.509?** - Previous by thread:
**[Discuss] Why the dislike of X.509?** - Next by thread:
**[Discuss] Why the dislike of X.509?** - Index(es):