[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Multi-Tag-Cert Tag Creation and Validation

Carl Ellison wrote:
>At 01:51 PM 4/14/97 -0700, Tony Bartoletti wrote:
>>Peter Williams wrote:
>>>Are SPKI tags limited to a single parent in their construction form?
>>>Surely, the single-tag cert could need to reference multiple cert-id's
>>>which grant it authority or other privilege.
>>Certainly a single SPKI certificate may need to reference multiple
>>authorizing certificates, but I cannot see how the validation process
>>would be made to understand that a particular tag must be intersected
>>with a peer-set of parent tags up the chain (mesh).
>Each certificate has one issuer.  If you have multiple credentials which
>drive a PolicyMaker program, each would have only one issuer (possibly
>different ones).  I see no way to define a certificate which itself
>has multiple issuers in any simple way.

When I said "a single SPKI certificate may need to reference multiple
authorizing certificates," I did not mean to imply a certificate would have
multiple issuers.  Rather, the signing key of the one issuer of cert CX
may itself have been certified by different authorities for different tags.
Where CX itself contains multiple tags, it would be neccessary for the
supplicant to gather and present those certificates on the issuer key
which support the capabilities asserted in the CX tags.

Does this not seem reasonable?