[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: non-id certs +++
I am very uncomfortable with SPKI requiring certficates to be
subject-signed. I think it is helpful to restate this proposed
requirement more clearly:
A conforming implementation MUST NOT accept as authorization or
proof of identify any certificate having as subject a public key
unless the certificate is also signed by the private key.
Rather than this requirement, it might be reasonable for the draft to
include a comment saying that there are legal issues regarding
self-signing of certificates, and that as part of POLICY, a verifier
MAY choose not to accept certificates which are not self-signed.
In the case of a bank wishing to try to claim nonrepudiation, as
mentioned previously, it would seem sensible for them to refuse certs
that are not self-signed.
I can't convince myself that everyone would always want such a
restriction, and since this is really policy not mechanism, I can't
support putting it in a standard.
Greg Troxel <email@example.com>