[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Any more comments ...



It seems to me that there are two uses for certificates.  I suspect we want
to support both of them.

(1) Certificates as Capabilities.  In this use, I would expect that the
entity (person or program) who wanted to exercise some capability would
pass the certificate giving it the authority along with the request to
exercise that authority.  There would be no need for directory lookups
except those needed by the entity to organize the certificates it had been
given.  In addition to having several certificates, the entity might also
have several key-pairs, where only it knows that they represent the same
entity.

(2) Certificates as Identity Attributes.  This is basically the X.500/X.509
directory lookup problem.  You have some kind of unique name for an entity
and want to get a public key.  Or perhaps you have some kind of attribute
and want to fetch the certificates which contain that attribute.  This use
of certificates can use third-party signers, to validate the data, and
perhaps some standards about the attributes (or unique name) to make
searching system usable.  (N.B. A unique name is an attribute which is
guaranteed to be included in only one certificate in this model.)

The first use would tend to encourage certificates which have only one
meaning, to reduce the bandwidth required to send them, while the second
encourages certificates which say everything there is to be said about an
entity (with possible multiple signers), because of the tendency to want
unique names.  If we treat the unique name as a non-unique attribute, then
we have the situation where each entity can have many certificates in "the
database", and lookups can proceed by asking for all certificates where the
name_attribute == X and some_other_attribute == Y.

Have I missed anything?


------------------------------------------------------------------------
Bill Frantz       | The CDA means  | Periwinkle  --  Computer Consulting
(408)356-8506     | lost jobs and  | 16345 Englewood Ave.
frantz@netcom.com | dead teenagers | Los Gatos, CA 95032, USA



Follow-Ups: