Received: from sog-mx-4.v43.ch3.sourceforge.com ([172.29.43.194] helo=mx.sourceforge.net) by sfs-ml-1.v29.ch3.sourceforge.com with esmtp (Exim 4.76) (envelope-from ) id 1WFwPJ-0007zR-Of for bitcoin-development@lists.sourceforge.net; Wed, 19 Feb 2014 01:57:05 +0000 X-ACL-Warn: Received: from [95.47.141.119] (helo=vps.pedantic.co.za) by sog-mx-4.v43.ch3.sourceforge.com with esmtps (TLSv1:AES256-SHA:256) (Exim 4.76) id 1WFwPG-0003Nf-Hw for bitcoin-development@lists.sourceforge.net; Wed, 19 Feb 2014 01:57:05 +0000 Received: from berndj by vps.pedantic.co.za with local (Exim 4.76) (envelope-from ) id 1WFvyC-0006SG-Pj for bitcoin-development@lists.sourceforge.net; Wed, 19 Feb 2014 02:29:04 +0100 MIME-Version: 1.0 In-Reply-To: <20140218214721.GA25356@savin> References: <5303B110.70603@bitpay.com> <20140218214721.GA25356@savin> Date: Wed, 19 Feb 2014 01:41:36 +0200 Message-ID: From: Bernd Jendrissek To: Peter Todd Content-Type: text/plain; charset=ISO-8859-1 Sender: "Bernd Jendrissek,,," X-Spam-Score: 1.0 (+) X-Spam-Report: Spam Filtering performed by mx.sourceforge.net. See http://spamassassin.org/tag/ for more details. 1.0 RDNS_NONE Delivered to internal network by a host with no rDNS X-Headers-End: 1WFwPG-0003Nf-Hw Cc: bitcoin-development@lists.sourceforge.net Subject: Re: [Bitcoin-development] BIP70 proposed changes X-BeenThere: bitcoin-development@lists.sourceforge.net X-Mailman-Version: 2.1.9 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 19 Feb 2014 01:57:05 -0000 [Ick, resending to list due to From: snafu] On Tue, Feb 18, 2014 at 11:47 PM, Peter Todd wrote: > What specifically do you dislike about X.509? The technical standard or > the infrastructure around it? (IE the centralized authorities) I'm not the one who was complaining, but what I dislike is that a certificate can have only one issuer. Cross-signing doesn't address my dislike: it's different enough from being a certificate's single issuer that it leaves too much power in the CAs' hands, IMHO. It isn't so much the centralization per se that I object to, but the way that the technical standard encourages concentration in the infrastructure. See http://lair.fifthhorseman.net/~dkg/tls-centralization/#Why_does_the_architecture_encourage_concentration%3F I've been (slowly) working on a patch to allow pki_data to contain more than just the single certificate chain that the single-issuer-only format insists on, but I'm making as many steps back as forward, being unsure of the right way to do it. Implementing an OpenPGP-based pki_type would probably be better, but hacking x509+* seems like a lower-hanging fruit.