[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: comments on client auth

>> Date: Thu, 13 Jun 1996 16:53:13 -0700
>> To: spki@c2.org
>> From: starman@llnl.gov (Jeff Parrett)
>> Further, as a user I don't want to have to deal with a bunch of CA's and
>> decide if I "trust" with each of them. In our architecture we have
>> introduced the concept of "inherited trust". This allows the CA which I
>> trust to establish a trusted relationship with another CA. If I ask my CA
>> for a key which it does not have but can obtain thru a trusted relationship
>> then I get the key along with a "chain of trust" which shows the derivation
>> of the key. The user can then determine the acceptability of the key.
>> We feel this model keeps it simple for the user while allowing a flexible
>> and extendable CA infrastructure.
>In other words, you agree exactly with the X.509 way of doing things -
>rooted heirarchies with cross-certification and name-subordination rules.
>Bravo!    :-)  :-)  :-)

Actually what we are more focused on is the protocol for getting a public
key. I don't care how the CA stores the information. Where would the Web be
if we had to worry about the http implmentation on each server? My
paragraph above is just an illustration that the protocol we are proposing
allows flexibility at the CA's end and it's transparent to the user.

Jeff Parrett (starman@llnl.gov)
The stars are the limit!