[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Identity certification

At 11:41 2/27/96, Jueneman@gte.com wrote:

[items of much agreement skipped over here, but appreciated]

>>2.      A generalized cert gives you a strong binding between a permission and
>>the key employed.  [Imagine having security clearance operate as in (1)
>>Once you have the permission certified, you don't need the path to the
>>human body, in most cases.  This one, direct link -- bound cryptographically
>>-- is far stronger than the 2 or 3 hop chain of bindings in (1), in which
>>only the first link is cryptographically strong.

No need to scream. :)

>I don't want to accuse you or anyone else of not having done their homework,
>but I get the very strong impression that some people haven't read X.509 V3 in

I do, in fact, understand the possibilities with X.509 V3, although I have
not read the full detail.  I have not done my homework, in that sense.  What I
did do was read enough to see the possibilities and my objections --
and then I wrote it off as hopelessly tainted by its X.509 progenitor.

[I am willing to read in more detail.  URL?]

Most specifically, the need to encode what I call a Meaning as a
set of OID/value pairs, instead of tag,value in natural language,
is one sign of this taint.

I have had to make OIDs in a past life and was lucky enough to work for
TIS which already had a corporate branch of the OID tree, so I could define
one with little effort.  Great.  [I ended up with something longer than the
natural language tag I would have used, but that's a side jab.]

The big issue is that an OID has usefulness only if the receiver understands
it.  So, somehow I have to communicate the real meaning to that receiver
-- either out of band or through some global database of OIDs.  A global
database of OIDs might be interesting, but this strikes me as something
quite baroque compared to the straight-forward use of natural language
tags and values, as I have proposed.  The natural language tag,value can
be chosen to communicate the meaning without requiring any out-of-band

>The basic capability provided by X.509 V3 is the ability to ARBITRARILY
>add new
>extensions to the basic certificate format. These extensions are in the
>form of
>X.500 attributes and are identified with a unique attribute OID. ANY
>company or
>organization that wants to can create a new attribute, defining it any way
>please (in ASN.1), and ascribe whatever semantics they would like to it. It
>would be convenient if the organization registered its name with ANSI at the
>national level and got an OID at the same time, but that isn't a requirement.
>ANSI will issue an OID without a name. And if that is too much trouble, DEC
>(and perhaps some others) have created an X.500 attribute under their own OID
>which allows any one in the world to create a unique OID by incorporating
>globally unique world wide telephone number, including country code.

Yup -- a good move.  It's an obvious next step in the X.509 evolution.
Now everyone can create an OID which no one else understands until it's

However, this can also be accomplished far more directly with natural
language tag,value pairs, as I said before.

>However, extension attributes can also be marked as CRITICAL, in which
>case, if
>the UA is unaware of how to process the information it is required to reject
>the certificate (or at least involve a human in the decision making process).

This is an interesting idea, but I would like to see examples of this.
Let's say I have a cert which includes my security clearance -- clearly
a CRITICAL field, at least for some applications.  Does that make
it critical for all applications?  Do I misunderstand?

>So you are perfectly free to proliferate private attributes to your hearts
>content, so long as either (1) you are the CA,  or (2) can persuade your CA to
>include that attribute in your certificate.

Yup -- another difference between X.509V3 and my proposal.  I don't require
CAs.  I embrace the PGP freedom allowing any individual to sign another key.
Formal CAs have no special place -- except in so far as they acquire
reputations for service or reliability which attract users.

In other words, I believe X.509 is slowly evolving toward the general
certificate I've outlined -- but isn't there yet, and might not get there
very fast at all as long as it remains bound to DNs, ASN.1 and the hope
that X.500 will someday get widely adopted.

>So conceptually, at least, when you want to obtain a certificate you would go
>(electronically or in person) to your friendly neighborhood CA store, and say,
>"Please, mister, could I have a certificate? And by the way, I am proud to
>be a
>card carrying member of the Lexington Minuteman Chowder and Marching Society,
>and I would like my membership number included in the certificate."

I don't want to go to a CA store.  For most of my life, I don't need to.
For a bank card, I want to go to my bank.  For a reputation certificate,
I'll go to a friend.  For permission to spend company money, I'll go to
my company.  No CAs -- unless you define all users as CAs, in which case
the notion of CA has been diluted beyond significance.

>(c=US, S=MA,
>l=Lexington, o="Lexington Chowder and Marching Society", serialNumber=1234),

As I said before, it's the existence of the DN which I find unnecessary
and an obstruction, more than its content, but the content is offensive by

 - Carl

|Carl M. Ellison          cme@cybercash.com   http://www.clark.net/pub/cme |
|CyberCash, Inc., Suite 430                   http://www.cybercash.com/    |
|2100 Reston Parkway           PGP 2.6.2: 61E2DE7FCB9D7984E9C8048BA63221A2 |
|Reston, VA 22091      Tel: (703) 620-4200                                 |