[Discuss] Why the dislike of X.509?

[markw at mohawksoft.com (markw at mohawksoft.com)]

> On 8/26/2014 1:01 PM, markw at mohawksoft.com wrote:
>> There is no such thing as a security system that has "one" entity, well,
>> perhaps a stone or a brick. There is *always* at least one mechanism
>> that
>> protects and one mechanism that provides access.
>
> An example is a code signing key. In a shared system, many agents
> possess copies of this key. Each agent is an entity. Each of these
> entities is a single point of compromise.

This is basically a strawman argument because while it could be done this
way, no one in their right minds would do it this way. That does not
typify what a shared system would look like.

>
> In a distributed system, the code signing key is split and distributed
> among several agents. Again, each agent is an entity. Since no one
> entity has the entire key the compromise of one entity cannot compromise
> the whole key and thus the whole system.

But, the code signing is exactly the point. There is a "key" that signs
the code and there is another key (cert or whatever) that verifies the
code signing key.

If multiple entities can sign the code with their own key, then clients
must have copies of each cert to verify the signing key. Unless there is a
1:1 relationship between the signers and the signees (which would be
pointless) any one of the clients must maintain all the key certs, in
which case, any one system would compromise the whole.
>
> Does the explanation make sense?
No, not really.
>
> --
> Rich P.
> _______________________________________________
> Discuss mailing list
> Discuss at blu.org
> http://lists.blu.org/mailman/listinfo/discuss
>