On 1/24/06, Anders Rundgren <[EMAIL PROTECTED]> wrote: > > Kyle, > The NDA situation is indeed very bad for progress. > Then the question who is going to standardize such a thing? > > ITU does not really deal with browsers, this seems to be more a W3C, OASIS > or IETF type of activity.
...but the ITU (nee CCITT) /did/ standardize on X.509, which the IETF found severely lacking and extended to X.509v2, and then X.509v3, which is what our current certificates are. Since we're looking at an international problem, the ITU (International Telecommunications Union) is the body that consolidates multiple governments' and large corporations' views into something that is usually overspecified and tedious to work with. However, it's that step that is most necessary to get any kind of governmental recognition out of it. (ANSI only ratifies ISO specifications. ISO ratifies ITU specifications.) > In my opinion there are other parts of the browser PKI support that may need > an overhaul, like on-line key gen and certification. I'm sure on-line > issuance will be the norm and at least the Xenroll stuff used in IE, is > really ugly and quite impossible for an ordinary user to understand > (selecting CSP???). Many of the proprietary signature schemes therefore > also have an equally proprietary issuance mechanism. The problem is, with so many standards to choose from, how do you create something that'll work with most of them? I'm talking in this case about RSA certificates versus DH certificates. Personally, I think that having both an RSA key and a DH key in the same certificate would be ideal, but that would require rethinking the entire "one keypair, one cert model that we currently have. (Perhaps also embed an elliptic curve key, and other asymmetric ciphers as they become available.) That way, the owner could identify him/her/itself to anyone who understood any of the schemes in the certificate. I'm woefully out-of-date on my reading of the cryptographic literature, so I'm not sure what's available at this point in time. Time to hit the books... -Kyle H _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
