[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

some more certificate usages.


content-type: text/plain; charset=us-ascii

Certain applications *will* want some form of auditing, but the audit
identity should be in the domain of the particular application...

For instance an "is a system administrator of this host" certificate
would probably want to include an audit identity, so you can figure
out which of your multiple admins screwed something up.

"This signed-key should be considered equivalent to the certifying-key
until this certificate expires for the following purposes ..."

        [This is desirable when you wish to reduce the exposure of
         long-term keys.  One way to do this is to use smartcards, but
         those typically have slow processors and are connected
         through low-bandwidth links; however, if you only use the
         smartcard at "login" time to certify a short-term keypair,
         you get high performance and low exposure of the long term

         I'll note here that this flies in the face of attempts to
         prevent delegation of certain rights..  Maybe we need a
         "delegation-allowed" bit -- but there's nothing to stop
         someone who wishes to delegate against the rules from also
         loaning out their private key..].

"I am an administrator of this host/service"

"I am the current legitimate owner of a particular chunk of internet
address space."

        [I'd like to see ipsec eventually become usable, at least for
         privacy, without need for prior arrangement between sites,
         but I think there's a need for a "I own this address"/"I own
         this address range" certificate in order for ipsec to coexist
         with existing ip-address-based firewalls]

"I am the current legitimate owner of a this DNS name or subtree."

"I am the legitimate receiver of mail sent to this rfc822 email
address.  [this might need to be signed by a key which itself had been
certified by the appropriate "DNS name owner" certificate]."

Version: 2.6.2