[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
some more certificate usages.
-----BEGIN PGP SIGNED MESSAGE-----
content-type: text/plain; charset=us-ascii
Certain applications *will* want some form of auditing, but the audit
identity should be in the domain of the particular application...
For instance an "is a system administrator of this host" certificate
would probably want to include an audit identity, so you can figure
out which of your multiple admins screwed something up.
"This signed-key should be considered equivalent to the certifying-key
until this certificate expires for the following purposes ..."
[This is desirable when you wish to reduce the exposure of
long-term keys. One way to do this is to use smartcards, but
those typically have slow processors and are connected
through low-bandwidth links; however, if you only use the
smartcard at "login" time to certify a short-term keypair,
you get high performance and low exposure of the long term
I'll note here that this flies in the face of attempts to
prevent delegation of certain rights.. Maybe we need a
"delegation-allowed" bit -- but there's nothing to stop
someone who wishes to delegate against the rules from also
loaning out their private key..].
"I am an administrator of this host/service"
"I am the current legitimate owner of a particular chunk of internet
[I'd like to see ipsec eventually become usable, at least for
privacy, without need for prior arrangement between sites,
but I think there's a need for a "I own this address"/"I own
this address range" certificate in order for ipsec to coexist
with existing ip-address-based firewalls]
"I am the current legitimate owner of a this DNS name or subtree."
"I am the legitimate receiver of mail sent to this rfc822 email
address. [this might need to be signed by a key which itself had been
certified by the appropriate "DNS name owner" certificate]."
-----BEGIN PGP SIGNATURE-----
-----END PGP SIGNATURE-----