Re: encodings, character sets, general requirements

[Bill Sommerfeld <sommerfeld@apollo.hp.com>]

-----BEGIN PGP SIGNED MESSAGE-----

content-type: text/plain; charset=us-ascii

   Are we dictating a single trust model, or simply asserting that we must
   support "web" and "contrained-web" models, among others?  Certainly, the
   effort to explore a simpler certificate should nevertheless aim for support
   of varied trust models.
   
I think that "constrained web" is a superset of the trust models we're
interested in.

An unconstrained web is merely a constrained web with no constraints.

A strict certification hierarchy with PEM-style name
subordination is merely a web in the shape of a tree, where the only
valid links occur where the "name" of the certifier is a prefix of the
"name" of the certified.

In that model, the certificate for a CA would say "only valid for names 
beginning with `CA-name'"; if that CA certifies a sub-CA, the constraint in
the CA's certificate would also apply implicitly to the sub-CA.

In the more general model, that constraint would apply unless there was a 
different trust path to the sub-CA which didn't traverse the CA.

                                                - Bill




-----BEGIN PGP SIGNATURE-----
Version: 2.6.2

iQCVAwUBMTYvfFpj/0M1dMJ/AQHvMgP+KwqgVhQX/MDc2B1a7Ikoc8eIBxruWziC
o5yohqXXGaKVutU/sts9qiKEjYEQ9k9ifSgpwaVqFuBfu19re4sDCwCXCXJQAIwn
v2CtE1HSeHB9sG+3agZ4sBUt7u2yqvEuDN5AhVwjdbvzWDRdVzdVxwxD5web3J20
jqGWldKo5XI=
=VTW5
-----END PGP SIGNATURE-----

---

References:

• Re: encodings, character sets, general requirements
• From: azb@llnl.gov (Tony Bartoletti)

---

• Prev by Date: RE: CRLs versus short Validity periods
• Next by Date: Re: CRLs versus short Validity periods
• Prev by thread: Re: encodings, character sets, general requirements
• Next by thread: Re: encodings, character sets, general requirements
• Index(es):
  • Main
  • Thread