[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: automated processing of generalized certificates

At 20:32 2/29/96, Neal McBurnett wrote:

[lots of good stuff -- valuable suggestions, IMO]

One nit:

>Another high-level sort of semantics we need to capture is the
>rules for "chaining" of certificates.  E.g. PGP allows chaining of
>email identity certs.  I've done a study of the 'web of trust'
>that is generated by that, available at
>        http://bcn.boulder.co.us/~neal/pgpstat/
>Rules like which types of certificates (Meaning-Registered major
>type?) can chain to which other certificates, perhaps how long a chain
>can be, the need for multiple independent paths, etc. might be
>specified or left to user specification.

PGP's web of trust, if it means anything at all, is like a sociogram.
It tells who has met whom, for key signing.  Some of those meetings
aren't physical, even....  That kind of linkage might dilute with

The linkage in a certificate chain is different.  The Issuer needs
the authority to be an Issuer of that particular Meaning cert -- and
ditto, his Issuer.  This chain of meanings would usually differ at
each link in the chain and there's no reason it would be size limited.
There's a clear need for setting out, in a cert's Meaning, what
rights and attributes this cert assigns to the signed key -- and
therefore what that signed key can do for a living...or, as you said,
"which types of certificates [...] can chain to which other certificates".

|Carl M. Ellison          cme@cybercash.com   http://www.clark.net/pub/cme |
|CyberCash, Inc., Suite 430                   http://www.cybercash.com/    |
|2100 Reston Parkway           PGP 2.6.2: 61E2DE7FCB9D7984E9C8048BA63221A2 |
|Reston, VA 22091      Tel: (703) 620-4200                                 |