[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Multiple certification rules, OK?

> From: Bob Smart <Robert.Smart@mel.dit.csiro.au>
> Below is a message from Stephen Kent which shows that the idea of
> multiple certificates for a public key is becoming widely accepted.

Steve can certainly speak for himself, but I see nothing in this quote
that advocates, or even discusses, multiple certificates for a single
public key.

What it does discuss is the issuance of multiple certificates, from
multiple issuers, to a single entity.  None of the issuers can
*prevent* the reuse of keypairs (assuming the client chooses the keys),
but a prudent client would find it in his own interest to use different
keys for each different issuer.

> Each certifcate encodes some assertion about the subject public key by
> the owner of the public key used to sign the certificate. For reasoning
> about these assertions we need a common format to represent the
> information. However we won't have a common format for the canonical
> representation which is the actual bit pattern signed because that is
> out of our control in many cases. If we only accept things signed 
> using our canonical form then lots of valuable information about
> public keys becomes inaccessable.

Agree completely.