[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: encodings, character sets, general requirements
-----BEGIN PGP SIGNED MESSAGE-----
content-type: text/plain; charset=us-ascii
Are we dictating a single trust model, or simply asserting that we must
support "web" and "contrained-web" models, among others? Certainly, the
effort to explore a simpler certificate should nevertheless aim for support
of varied trust models.
I think that "constrained web" is a superset of the trust models we're
interested in.
An unconstrained web is merely a constrained web with no constraints.
A strict certification hierarchy with PEM-style name
subordination is merely a web in the shape of a tree, where the only
valid links occur where the "name" of the certifier is a prefix of the
"name" of the certified.
In that model, the certificate for a CA would say "only valid for names
beginning with `CA-name'"; if that CA certifies a sub-CA, the constraint in
the CA's certificate would also apply implicitly to the sub-CA.
In the more general model, that constraint would apply unless there was a
different trust path to the sub-CA which didn't traverse the CA.
- Bill
-----BEGIN PGP SIGNATURE-----
Version: 2.6.2
iQCVAwUBMTYvfFpj/0M1dMJ/AQHvMgP+KwqgVhQX/MDc2B1a7Ikoc8eIBxruWziC
o5yohqXXGaKVutU/sts9qiKEjYEQ9k9ifSgpwaVqFuBfu19re4sDCwCXCXJQAIwn
v2CtE1HSeHB9sG+3agZ4sBUt7u2yqvEuDN5AhVwjdbvzWDRdVzdVxwxD5web3J20
jqGWldKo5XI=
=VTW5
-----END PGP SIGNATURE-----
References: