[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: non-id certs +++

I am very uncomfortable with SPKI requiring certficates to be
subject-signed.  I think it is helpful to restate this proposed
requirement more clearly:

   A conforming implementation MUST NOT accept as authorization or
 proof of identify any certificate having as subject a public key
 unless the certificate is also signed by the private key.

Rather than this requirement, it might be reasonable for the draft to
include a comment saying that there are legal issues regarding
self-signing of certificates, and that as part of POLICY, a verifier
MAY choose not to accept certificates which are not self-signed.

In the case of a bank wishing to try to claim nonrepudiation, as
mentioned previously, it would seem sensible for them to refuse certs
that are not self-signed.

I can't convince myself that everyone would always want such a
restriction, and since this is really policy not mechanism, I can't
support putting it in a standard.

        Greg Troxel <gdt@bbn.com>

Follow-Ups: References: