[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

signing of subsets of a document or certficate

>Subject: RE: Any more comments on the whois++ SPKI proposalette?

At 08:03 PM 4/22/96 -0400, Rich Salz wrote:
>I need something like the ability to sign subsets.

I think we all do, in the general case.

However, for certificates it seems like an unnecessary complication --
especially since the field name tags will be about as long as the field
they're tagging.  There's nothing to stop someone from making a subset
certificate and signing that and that feels like the cleaner solution to me.

We might be being confused here by the X.509 bad habit of acting like there
was only one certificate per entity, with everything in the world attached
to that certificate.

As long as a certificate is only:
A) Meaning [= permission granted, statement made, or whatever]
B) Signed key ID
C) Signing key ID
D) validity info [date range, CRL location, ...]

the certificate itself is not much larger than a subset specification.


In the general case of signed documents, not only do we all have this need
but I know of at least one person who has a very good solution in the works.
I'm not free to give any details until he chooses to publish, however.

 - Carl

|Carl M. Ellison          cme@cybercash.com   http://www.clark.net/pub/cme |
|CyberCash, Inc., Suite 430                   http://www.cybercash.com/    |
|2100 Reston Parkway           PGP 2.6.2: 61E2DE7FCB9D7984E9C8048BA63221A2 |
|Reston, VA 22091              Tel: (703) 620-4200                         |