[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: comments on client auth
At 06:09 PM 6/13/96 -0700, PALAMBER.US.ORACLE.COM wrote:
>6) The X.509v3 certificate only supports a single backward
> reference to a issuing authority. In a multi-rooted
> trust hierarchy or in some cross certification scenarios
> the result of a validation process can be ambiguous.
Paul,
I believe the notion of requiring a Meaning field in every certificate (a specific "I grant authority X to this key, Y") solves the ambiguities you mentioned. It's only when the Meaning is implicit in the root of the CA path that you get in trouble in the multi-rooted scenario. Right?
- Carl
From ???@??? Fri Jun 14 17:51:27 1996
Return-Path: <owner-spki@c2.org>
Received: from callandor.cybercash.com (callandor1.cybercash.com) by cybercash.com (4.1/SMI-4.1)
id AA29310; Fri, 14 Jun 96 16:17:07 EDT
Received: by callandor.cybercash.com; id QAA19290; Fri, 14 Jun 1996 16:13:57 -0400
Received: from infinity.c2.org(140.174.185.11) by callandor.cybercash.com via smap (V3.1)
id xma019277; Fri, 14 Jun 96 16:13:38 -0400
Received: (from daemon@localhost) by infinity.c2.org (8.7.4/8.6.9)
id KAA08884 for spki-outgoing; Fri, 14 Jun 1996 10:28:24 -0700 (PDT)
Community ConneXion: Privacy & Community: <URL:http://www.c2.net>
Message-Id: <2.2.32.19960614172943.0082a464@cybercash.com>
X-Sender: cme@cybercash.com
X-Mailer: Windows Eudora Pro Version 2.2 (32)
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Date: Fri, 14 Jun 1996 13:29:43 -0400
To: "PALAMBER.US.ORACLE.COM" <PALAMBER@us.oracle.com>
From: Carl Ellison <cme@cybercash.com>
Subject: Re: comments on client auth
Cc: spki@c2.org
Sender: owner-spki@c2.org
Precedence: bulk
At 06:09 PM 6/13/96 -0700, PALAMBER.US.ORACLE.COM wrote:
>6) The X.509v3 certificate only supports a single backward
> reference to a issuing authority. In a multi-rooted
> trust hierarchy or in some cross certification scenarios
> the result of a validation process can be ambiguous.
Paul,
I believe the notion of requiring a Meaning field in every
certificate (a specific "I grant authority X to this key, Y") solves the
ambiguities you mentioned. It's only when the Meaning is implicit in the
root of the CA path that you get in trouble in the multi-rooted scenario.
Right?
- Carl
+--------------------------------------------------------------------------+
|Carl M. Ellison cme@cybercash.com http://www.clark.net/pub/cme |
|CyberCash, Inc. http://www.cybercash.com/ |
|207 Grindall Street PGP 2.6.2: 61E2DE7FCB9D7984E9C8048BA63221A2 |
|Baltimore MD 21230-4103 T:(410) 727-4288 F:(410)727-4293 |
+--------------------------------------------------------------------------+