[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Designer Certs

Hi Phill,

>From: 	Phillip M. Hallam-Baker[SMTP:hallam@ai.mit.edu]
>Sent: 	Saturday, February 07, 1998 1:40 PM
>To: 	Rich Salz; curtis_yarvin@geoworks.com
>Cc: 	cert-talk@structuredarts.com; spki@c2.net
>Subject: 	Re: Designer Certs
>Finally consider the problem of interdomain certification, the 
>problem of one CA recognising certificates of another. One camp
>declares that the way to solve this is to create some automated
>cross-certification mechanism. I find this unconvincing since
>it implies that establishing trust between CAs is easier than
>establishing trust between individuals.
>Another camp says, this is the area where humans have to enter,
>where trust is going to be established in long meetings with lots
>of lawyers sitting round the table.

It seems to me that the two "camps" you describe are really the same
people sitting in the same campground.  The only thing the first camp is
saying (as far as I can tell) is that once the humans have entered, once
the trust has been established in long meetings, there is a need to
define a bits-on-the-wire protocol so that the certification can
actually take place.

The lawyers sitting around the table will not pass around public keys
like they pass around business cards.  This exchange will happen
electronically (probably after the paper documents have been negotiated
and signed by hand), so there needs to be an automated mechanism whereby
an electronic request for cross-certification is sent and an electronic
response (containing the cross-certificate) is returned.

The camps you describe are not in opposition.  Each is concentrating on
one of the important (in some cases, necessary) pieces in the
cross-certification process.

Carlisle Adams
Entrust Technologies