[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Multiple certification rules, OK?

>> From: Bob Smart <Robert.Smart@mel.dit.csiro.au>
>> Below is a message from Stephen Kent which shows that the idea of
>> multiple certificates for a public key is becoming widely accepted.
>Steve can certainly speak for himself, but I see nothing in this quote
>that advocates, or even discusses, multiple certificates for a single
>public key.
>What it does discuss is the issuance of multiple certificates, from
>multiple issuers, to a single entity.  None of the issuers can
>*prevent* the reuse of keypairs (assuming the client chooses the keys),
>but a prudent client would find it in his own interest to use different
>keys for each different issuer.

I agree completely.

While I wouldn't go so far as to say that never, ever, under any
circumstances, shouuld someone include the same public key in two different
certificates, I would only do so with great trepidation. The issues of
certificate suspence, revocation, and expiration happening at different
times; confusion about which set of priviledges was actually being used or
claimed with respect to a digital signature; and other problems which I
probably overlooked would require very careful study before I would feel

Given a choice between finesse, which invariably requires a great deal of
thought, and  a straight forward approach that may lack some elegance, I'll
almost always choose the bigger hammer. Cryptographic protocols, in
particular, are notoriously difficut to get right, and most of us have a
couple of billion brain cells fewer than that which always seems to be
needed. Unfortunately, we typically discover that after the fact rather than


Robert R. Jueneman
Security Architect
Novell, Inc.
Internet Infrastructure Division
122 East 1700 South
Provo, UT 84604