[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Certificate Variability

To: cme@cybercash.com (Carl Ellison)
Subject: Re: Certificate Variability
From: azb@llnl.gov (Tony Bartoletti)
Date: Thu, 14 Mar 1996 11:40:46 -0800
Cc: spki@c2.org

Carl Ellison wrote:
>At 22:12 3/13/96, Tony Bartoletti wrote:
>>In the spki discussion to date, at least two "straw-men" certificate
>>structures have been offered up to serve as anchors for discussion.
>
>>The first, I believe, was offered by Carl Ellison.  This "generalized"
>>certificate has the following minimal structure:
>>
>>      Certifying-key:  <KEY_ID>
>>      Signed-key:      <KEY_ID>
>>      Validity:        <DATE_RANGE>
>>      Meaning:         <variable structure>
>>      (cert-key signature appended).
>
>>Another target was offered recently by Paul Leach:
>>
>>      Cert-Name:       <DNS-name>
>>      Issuer-Name:     <DNS-name>
>>      Key:             <base64>
>>      Expires:         <RFC1123-date>
>>      Serial:          <RFC822-msgID>
>>      Sig:             <base64>
>
>Tony,
>
>        I like your analysis but don't believe that Paul and I are that far
>apart [as I indicated in my previous message to Paul].  In particular, if
>Paul were to relabel Cert-Name to Cert-Loc, then the label would be more
>true to the meaning of that field and would not suggest a kinship to
>X.509's use of DNs.  One *does* need to know where to find a given key.
>
>If Paul were only to add a Meaning field, so that this format doesn't
>suffer from the Vogon HQ problem, then I could see his proposal as a form
>of mine -- with no real conflict.
>

I was actually trying (albeit poorly) to highlight their similarities, and
I did not mean to focus primarily on the precise merits of either.  I was
hoping to draw out how the important twin goals of "wide generality" and "compact-simplicity", while not mutually exclusive, do present some degree
of challenge in addressing together.  My *central* question (appropriately
buried deep within the body of my posting:-) remains:

    When are two competing certificate models so different that they
    must belong in "different worlds", rather than be subsumed within
    a generic certificate handling framework?

In particular, is it possible (and desireable) to define a (very simple) uberstructure for certificate bodies, so that different cert-bodies could
be minimally handled (identified as to format-type and semantic ability, independent of content parsing) within a common operational framework.

By format-type, I mean structural specifics and encodings.  By semantic
abilities, I mean "Requires-CRL or not, Meaning-included or not, etc."

All SPKI-Compliant cert-handlers would be required to parse this minimal
shell, conveyed in a lowest-common-denominator form.

My thought is that cert-handlers could then have a front-end capable of
shuttling certificates about in an intelligent fashion, without having
to parse cert-contents in detail.  This division of labor also helps to
more cleanly divorce the structure & encoding issues from the semantic
model differences.

___TONY___

Tony Bartoletti                                             LL
SPI Project Leader                                       LL LL
Computer Security Technology Center                   LL LL LL
Lawrence Livermore National Lab                       LL LL LL
PO Box 808, L - 303                                   LL LL LLLLLLLL
Livermore, CA 94551-9900                              LL LLLLLLLL
email: azb@llnl.gov   phone: 510-422-3881             LLLLLLLL

Prev by Date: Re: CYLINK's Support for Open Public Key Standards
Next by Date: Re: CYLINK's Support for Open Public Key Standards
Prev by thread: Re: Certificate Variability
Next by thread: CYLINK's Support for Open Public Key Standards
Index(es):
- Main
- Thread