[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: Any more comments ...
At 11:06 AM 4/23/96 -0700, Simon Spero wrote:
>Too much stuff to get through at once, so I thought I'd address these two
>points first; These two requirements are somewhat linked, so that it
>different parties should be able to sign different fields, or the same
>party could sign different fields. This also links in with suppor for
>policies ; policies should apply on a per-signature basis - thus a single
>certificate could include two public keys, one signed for for
>key-exchange, the other for signature only.
As I believe I said in an earlier message, this smacks of the bad habit
which X.509 folks got into of thinking that there is one certificate per
entity [at least from the point of view of a CA] and therefore everything
and the kitchen sink was loaded into that certificate. In that world, I
hear you asking for separate, independent signed things.
In the world as I see it, there are only the subsets. Each is a
certificate. Any one entity can and will have multiple certificates, signed
by various people. That entity is, of course, identified by a unique name:
a public signature key for which he/she/it can demonstrate the ability to
sign documents or a public enciphering key for which he/she/it can
demonstrate the ability to read messages. Each entity can have multiple
unique names, of course, but a certificate applies only to a single unique
name [= public key].
+--------------------------------------------------------------------------+
|Carl M. Ellison cme@cybercash.com http://www.clark.net/pub/cme |
|CyberCash, Inc., Suite 430 http://www.cybercash.com/ |
|2100 Reston Parkway PGP 2.6.2: 61E2DE7FCB9D7984E9C8048BA63221A2 |
|Reston, VA 22091 Tel: (703) 620-4200 |
+--------------------------------------------------------------------------+
Follow-Ups: