[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Multiple certification rules, OK?
> From: Bob Smart <Robert.Smart@mel.dit.csiro.au>
> Below is a message from Stephen Kent which shows that the idea of
> multiple certificates for a public key is becoming widely accepted.
Steve can certainly speak for himself, but I see nothing in this quote
that advocates, or even discusses, multiple certificates for a single
What it does discuss is the issuance of multiple certificates, from
multiple issuers, to a single entity. None of the issuers can
*prevent* the reuse of keypairs (assuming the client chooses the keys),
but a prudent client would find it in his own interest to use different
keys for each different issuer.
> Each certifcate encodes some assertion about the subject public key by
> the owner of the public key used to sign the certificate. For reasoning
> about these assertions we need a common format to represent the
> information. However we won't have a common format for the canonical
> representation which is the actual bit pattern signed because that is
> out of our control in many cases. If we only accept things signed
> using our canonical form then lots of valuable information about
> public keys becomes inaccessable.