[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Thoughts on the draft



-----BEGIN PGP SIGNED MESSAGE-----


Just some thoughts, after having read the draft.

It'd be nice to be able to have the same certificate signed by
more than one entities; the current scheme allows only one issuer per
certificate. This can be resolved by moving the issuer and validation
fields in the signature field (so that only the signature field is
entity specific).

Also, i'd like to be able to have multiple values per field; so, i
could have

NAME: Angelos D. Keromytis
NAME: Aggelos D. Keromitis
NAME: The One And Only

and any comparison of (NAME, somestring) would yield true if
somestring was any of the above.

Having the ASCII version of the certificate as the "default" (parse
that instead of the binary) makes it easier to parse certificates that
use attributes that are not understood by this application. 
This has the advantage that the application can parse a certificate
which has fields not understood but also probably not of any interest
to it. This can be done in the binary certificate as well, but
requires special provision.

Multivalue attributes should be accesible in a structured manner:

SIGNATURE: {ISSUER:foo EXPIRATION: { TIME: endofuniverse TYPE: CRL }
	    ALGORITHM:RSA 
	    VALUE:0x8376812}

SIGNATURE.ISSUER == foo
SIGNATURE.EXPIRATION.TYPE == CRL


Also, some form of certificate dependency; i would probably have some
certificate that has basic information about me. Then, when a bank
wants to issue me a bank account certificate, they just issue a
complementary one (one with the information that's not included in the
base one) which "requires" the base certificate.
- -Angelos

-----BEGIN PGP SIGNATURE-----
Version: 2.6
Comment: Processed by Mailcrypt 3.4, an Emacs/PGP interface

iQCVAwUBMiMq+L0pBjh2h1kFAQH1dgP/YRuXAgBMt9vIky6gibNhEn/81I1NmC1J
lloKH6C+TcvYYBsWjsykl4sHXRWUAU4BmbpXneH8kEn+aNobpP372SW2NazwXeGC
aSqeT1NFdgz9gcqUx7ytl8oeWK6sjJz3qOOG7WHD7enFvoWzI/zdWc8ER1X/QazN
kwGvFvf7/xs=
=Gl/u
-----END PGP SIGNATURE-----