[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Is meaning important?
(Bill Sommerfeld responding to Ben Laurie):
>
> Could we not make useful progress by ignoring the question of CRLs, trust
> models and so on, and concentrating on the interchange aspects of
> the system?
>
>We might make progress by ignoring the hard problems, but I think the
>end result wouldn't be enough of an improvement over the "x.509 for
>the internet" approach of the pkix group.
>
> I'm not saying that these issues do not need to be addressed, just that
>there
> are many uses for certificates, and many different models for verifying
>them,
> all of which could be built on a single interchange methodology
> (maybe).
>
>I disagree.
>
>If you build something with no understanding of how it will be used,
>it won't work very well.
>
>Certificates need to certify something which is meaningful to an
>application in a way which the application can trust. If the base
>certificate encoding has a flaw which prevents us from doing that, I'd
>rather know sooner rather than later..
>
> - Bill
It is the detection of such a "flaw" (by which I assume you mean an
unrecognized encoding, structure, or inappropriate semantic content)
that I hoped to address by suggesting a "Cert-Spec" header, minimal
in size and coded in a lowest-common-denominator representation.
It would convey, at the outset, both the type of encodings used within,
but also semantic "facts" such as...
() validation of this cert utilizes:
(a CRL lookup) vs (short-term-cert Validity Period)
() this cert contains:
(a complete signed public key) vs (hash of key, separate lookup needed)
etc...
The Cert-Spec is exactly intended to let you know "sooner rather than later."
___TONY___
Tony Bartoletti LL
SPI Project Leader LL LL
Computer Security Technology Center LL LL LL
Lawrence Livermore National Lab LL LL LL
PO Box 808, L - 303 LL LL LLLLLLLL
Livermore, CA 94551-9900 LL LLLLLLLL
email: azb@llnl.gov phone: 510-422-3881 LLLLLLLL