Re: [Monotone-devel] Re: key trust

[Conrad Steenberg]

On Wed, 2005-10-12 at 23:10 +0100, Bruce Stephens wrote:
> Richard Levitte - VMS Whacker <address@hidden> writes:
> 
> [...]
> 
> > No, I was thinking of making good use of things like policy attributes
> > at assign roles or rights to a certificate holder.  But sure, if you
> > want, there's always the possibility of coupling the whole thing with
> > a replicated LDAP repository and do the math with it :-).
> 
> But if your certificate has all those decorations then it's probably
> not so usable for other purposes, so I'd guess that would diminish the
> "single signon" type argument for using X.509?

I strongly agree with this sentiment: use the certs for identification
only, to authorization.

Adding these non-standard attributes to X509 certs is far worse than
inventing your own certificate system: you get all the bloat of an
exiting specification, without any of the benefits of that
specification: interoperability, and the use of standard tools and
libraries.

> I suspect that if monotone had an ssh-agent type system (maybe even
> one that actually used ssh-agent, whether or not it used ssh keys),
> then a lot of the irritation with using monotone-specific keys would
> go?
> 
> > But you'll have to wait until that RFC is implemented in OpenSSL :-).
> 
> OK, not for a couple of weeks, then?
> 
> [...]
> 
> 
> 
> _______________________________________________
> Monotone-devel mailing list
> address@hidden
> http://lists.nongnu.org/mailman/listinfo/monotone-devel
-- 
Conrad Steenberg <address@hidden>
California Institute of Technology

smime.p7s
Description: S/MIME cryptographic signature