[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

some more certificate usages.

To: cme@cybercash.com
Subject: some more certificate usages.
From: Bill Sommerfeld <sommerfeld@apollo.hp.com>
Date: Tue, 27 Feb 1996 20:01:30 -0500
Cc: spki@c2.org

-----BEGIN PGP SIGNED MESSAGE-----

content-type: text/plain; charset=us-ascii

Certain applications *will* want some form of auditing, but the audit
identity should be in the domain of the particular application...

For instance an "is a system administrator of this host" certificate
would probably want to include an audit identity, so you can figure
out which of your multiple admins screwed something up.

"This signed-key should be considered equivalent to the certifying-key
until this certificate expires for the following purposes ..."

        [This is desirable when you wish to reduce the exposure of
         long-term keys.  One way to do this is to use smartcards, but
         those typically have slow processors and are connected
         through low-bandwidth links; however, if you only use the
         smartcard at "login" time to certify a short-term keypair,
         you get high performance and low exposure of the long term
         key.

         I'll note here that this flies in the face of attempts to
         prevent delegation of certain rights..  Maybe we need a
         "delegation-allowed" bit -- but there's nothing to stop
         someone who wishes to delegate against the rules from also
         loaning out their private key..].

"I am an administrator of this host/service"

"I am the current legitimate owner of a particular chunk of internet
address space."

        [I'd like to see ipsec eventually become usable, at least for
         privacy, without need for prior arrangement between sites,
         but I think there's a need for a "I own this address"/"I own
         this address range" certificate in order for ipsec to coexist
         with existing ip-address-based firewalls]

"I am the current legitimate owner of a this DNS name or subtree."

"I am the legitimate receiver of mail sent to this rfc822 email
address.  [this might need to be signed by a key which itself had been
certified by the appropriate "DNS name owner" certificate]."





-----BEGIN PGP SIGNATURE-----
Version: 2.6.2

iQCVAwUBMTOpYlpj/0M1dMJ/AQHQhAP+JQAeOJ0MbFy9eXiDkgOTXdbtvvUNfccN
liPizhAl95ExRQev9kOZsrbfzAacF5aibZFedu70gAmdRyZwE57H1N6TixDSO7ea
bDdqOZgzeU1OLCd/7GvkyHvhZcgUMJAkv7Nsbr1DXfbnN36X8QfYzaVcILavmkic
cAuT+3nSBCs=
=3t/u
-----END PGP SIGNATURE-----

Prev by Date: brainstorming list of certificate uses
Next by Date: Re: going back to stone axes
Prev by thread: brainstorming list of certificate uses
Next by thread: Re: some more certificate usages.
Index(es):
- Main
- Thread