[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: encodings, character sets, general requirements
-----BEGIN PGP SIGNED MESSAGE-----
content-type: text/plain; charset=us-ascii
Are we dictating a single trust model, or simply asserting that we must
support "web" and "contrained-web" models, among others? Certainly, the
effort to explore a simpler certificate should nevertheless aim for support
of varied trust models.
I think that "constrained web" is a superset of the trust models we're
An unconstrained web is merely a constrained web with no constraints.
A strict certification hierarchy with PEM-style name
subordination is merely a web in the shape of a tree, where the only
valid links occur where the "name" of the certifier is a prefix of the
"name" of the certified.
In that model, the certificate for a CA would say "only valid for names
beginning with `CA-name'"; if that CA certifies a sub-CA, the constraint in
the CA's certificate would also apply implicitly to the sub-CA.
In the more general model, that constraint would apply unless there was a
different trust path to the sub-CA which didn't traverse the CA.
-----BEGIN PGP SIGNATURE-----
-----END PGP SIGNATURE-----