[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: automated processing of generalized certificates
At 20:32 2/29/96, Neal McBurnett wrote:
[lots of good stuff -- valuable suggestions, IMO]
One nit:
>Another high-level sort of semantics we need to capture is the
>rules for "chaining" of certificates. E.g. PGP allows chaining of
>email identity certs. I've done a study of the 'web of trust'
>that is generated by that, available at
> http://bcn.boulder.co.us/~neal/pgpstat/
>
>Rules like which types of certificates (Meaning-Registered major
>type?) can chain to which other certificates, perhaps how long a chain
>can be, the need for multiple independent paths, etc. might be
>specified or left to user specification.
PGP's web of trust, if it means anything at all, is like a sociogram.
It tells who has met whom, for key signing. Some of those meetings
aren't physical, even.... That kind of linkage might dilute with
distance.
The linkage in a certificate chain is different. The Issuer needs
the authority to be an Issuer of that particular Meaning cert -- and
ditto, his Issuer. This chain of meanings would usually differ at
each link in the chain and there's no reason it would be size limited.
There's a clear need for setting out, in a cert's Meaning, what
rights and attributes this cert assigns to the signed key -- and
therefore what that signed key can do for a living...or, as you said,
"which types of certificates [...] can chain to which other certificates".
+--------------------------------------------------------------------------+
|Carl M. Ellison cme@cybercash.com http://www.clark.net/pub/cme |
|CyberCash, Inc., Suite 430 http://www.cybercash.com/ |
|2100 Reston Parkway PGP 2.6.2: 61E2DE7FCB9D7984E9C8048BA63221A2 |
|Reston, VA 22091 Tel: (703) 620-4200 |
+--------------------------------------------------------------------------+