Boston Linux & UNIX was originally founded in 1994 as part of The Boston Computer Society. We meet on the third Wednesday of each month at the Massachusetts Institute of Technology, in Building E51.

BLU Discuss list archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Discuss] Why the dislike of X.509?

On 8/26/2014 1:37 PM, markw at wrote:
> This is basically a strawman argument because while it could be done this
> way, no one in their right minds would do it this way. That does not
> typify what a shared system would look like.

I didn't say it was smart. In fact, I've been saying that it's bad and

> But, the code signing is exactly the point. There is a "key" that signs
> the code and there is another key (cert or whatever) that verifies the
> code signing key.

But what verifies /that/ key, hmmm?

> If multiple entities can sign the code with their own key, then clients
> must have copies of each cert to verify the signing key. Unless there is a

Say that you want to have three signing entities (agents, operators,
whatever you want to call them) and require at least two of them in
agreement to sign something. You take the secret key, split it into
three pieces. Give each entity copies of two of the three pieces such
that any two have the complete secret key between them.

More properly, the signing entities have copies of pieces of the key
used to decrypt the signing key which, optimally, is held by the
organization's security officer who has no access to the decryption key.

Rich P.

BLU is a member of BostonUserGroups
BLU is a member of BostonUserGroups
We also thank MIT for the use of their facilities.

Valid HTML 4.01! Valid CSS!

Boston Linux & Unix /