[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Any more comments ...

At 11:06 AM 4/23/96 -0700, Simon Spero wrote:

>Too much stuff to get through at once, so I thought I'd address these two 
>points first; These two requirements are somewhat linked, so that it 
>different parties should be able to sign different fields, or the same 
>party could sign different fields. This also links in with suppor for 
>policies ; policies should apply on a per-signature basis - thus a single 
>certificate could include two public keys, one signed for for 
>key-exchange, the other for signature only.

As I believe I said in an earlier message, this smacks of the bad habit
which X.509 folks got into of thinking that there is one certificate per
entity [at least from the point of view of a CA] and therefore everything
and the kitchen sink was loaded into that certificate.  In that world, I
hear you asking for separate, independent signed things.

In the world as I see it, there are only the subsets.  Each is a
certificate.  Any one entity can and will have multiple certificates, signed
by various people.  That entity is, of course, identified by a unique name:
a public signature key for which he/she/it can demonstrate the ability to
sign documents or a public enciphering key for which he/she/it can
demonstrate the ability to read messages.  Each entity can have multiple
unique names, of course, but a certificate applies only to a single unique
name [= public key].

|Carl M. Ellison          cme@cybercash.com   http://www.clark.net/pub/cme |
|CyberCash, Inc., Suite 430                   http://www.cybercash.com/    |
|2100 Reston Parkway           PGP 2.6.2: 61E2DE7FCB9D7984E9C8048BA63221A2 |
|Reston, VA 22091              Tel: (703) 620-4200                         |