[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: single <auth> per cert (was Re: "auth" --> "tag" ?? )

Bill Frantz, <frantz@netcom.com>, writes:
> It seems to me that the only programs interested in the meaning of auth
> tags will be the requesting program and the program validating that
> request.  Both of them can be assumed to have an application level of what
> intersection means for the tags in question.  Are there any other programs
> who have such an interest?

Presumably in the context of a chain of certificates, at least one other
program would have issued a certificate using the tag.  We can assume
that the validating program issued the first authorization in the chain,
but it was not issued directly to the requesting program, rather to
some other agent.  That agent propagated the authority through possibly
other entities, who eventually propagated it to the requesting program.
That is why there is a chain.

So in this case at least the other agents in the chain would have
known the meaning of the auth tag so they knew what authority they were
passing on.  (I suppose they might have just been propagating all their
authority in a blanket fashion, but that would not always be the case.)

I also thought that there might be a local, trusted server which simply
collapsed chains of tags as a service for the client which validates the
final chain.  The server might even be responsible for seeking out the
intermediate certs in the chain so that the requestor would not have to
carry them.  The server would then produce a CRCert which would go to
the validating program to assert that the chain had collapsed meaningfully.

This would then be another program which would have to be interested in the
meaning of the auth tags, so that it could do this otherwise-mechanical
collapse process.  This server program was the one which I thought would
be a candidate for interpreting a chain without knowing the semantics of
the auth tags.