[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Support for trusted_ca_keys extension during TLS handshake
|
From: |
Nikos Mavrogiannopoulos |
|
Subject: |
Re: Support for trusted_ca_keys extension during TLS handshake |
|
Date: |
Wed, 31 Oct 2012 18:45:02 +0100 |
|
User-agent: |
Mozilla/5.0 (X11; Linux x86_64; rv:10.0.6esrpre) Gecko/20120805 Icedove/10.0.6 |
On 10/31/2012 06:40 PM, David Fuhrmann wrote:
>> I don't know whether you can apply it in your case, but why not use
>> the "traditional" PKI there. Have a root CA to sign all other temporal
>> CAs and have all the devices to trust the root one. It sounds more
>> elegant approach than having the server decide which certificate to
>> use based on the connecting client trusted CA.
>
> Yeah, sure, but the root certificate to be installed inside the client
> already lasts 40 years.
> The system is to be designed to work longer than that, and it not so a good
> idea to create an even longer "super" root CA.
Indeed, in such a system you'll have such issues. The biggest looks like
whether the existing algorithms would stay secure for that long.
Nevertheless, if you try implementing this extension it wouldn't be that
difficult.
regards,
Nikos