[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Multiple certification rules, OK?

Below is a message from Stephen Kent which shows that the idea of
multiple certificates for a public key is becoming widely accepted.

Each certifcate encodes some assertion about the subject public key by
the owner of the public key used to sign the certificate. For reasoning
about these assertions we need a common format to represent the
information. However we won't have a common format for the canonical
representation which is the actual bit pattern signed because that is
out of our control in many cases. If we only accept things signed 
using our canonical form then lots of valuable information about
public keys becomes inaccessable.

Bob Smart

------- Forwarded Message

Date: Tue, 3 Jun 1997 15:58:12 -0400
To: Shyh-Wei Luan <luan@almaden.ibm.com>
From: Stephen Kent <kent@bbn.com>
Subject: Re: X.509 certificate and its subject name field
Cc: ssl-talk@netscape.com, ietf-pkix@tandem.com


We disagree on what the common model of PKIs will be, and maybe that's at
the heart of some other disagreements as well.  There is no single
idetifier, nor even a small number of them, that can be put into certs and
that are ideal for all the transactions in which I engage.  One approach is
to have each business with whom I interact do a mapping from generic certs
to their databases, but another approach is to have the business issue me a
cert to facilitate later interactions.  The issuance might be predicated on
use of a generic cert from a governmental org or a third party like
VeriSign, CertCo, CertiCom, ..., or it may be based on knowledge from an
existing customer database.  The later approach is what we are seeing now
in several systems ,e.g., Liberty Financial was among the first, and what I
expect may become commonplace.  It has numerous advantages relative to
reliance on certs issued by other orgs, especially orgs that try to
simultaneously charge for certs and disavow any liability.  This was the
focus of my keynote talk at the DIMACS trust management workshop last fall,
and the subject of a paper that will soon be released.


------- End of Forwarded Message