[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: re. name cert meaning

>Having a certain SDSI name is not a privilege in and of itself.
>Being able to claim that you are the person referred to by
>an X.509 name is.
>It's angels on a pin, of course, but it seemed worth saying.

Given that we're trying to sell angels and pinheads here,
it's definitely worth saying, especially as there are legal standards
committees trying to pin down the relationships.
The difficulty is that the technology itself can really only
specify a relationship between names and pieces of data,
and can demonstrate that a given cert was produced by the
holder(s) of a given piece of data.  The X.509 protocols
don't do any more; the primary difference between them and
the PGP certification protocols is that an X.509 cert
only maps from one certifying keypair to one name/key pair,
while PGP can map from multiple certifying keypairs to a name/key pair.
(Thus, non-hierarchical certification chains are more convenient in PGP,
though you can accomplish the same with groups of X.509 certs.)

The worldview that fits behind them, about relationships between
pieces of data, name strings, and bodies is really outside the technology.  
The business applications of those certs depend on the relationships - 
PGP has allowed us to explore broader sets of business applications than 
the original rigid X.509 hierarchical True-Name-centered model did,
and we need to maintain that flexibility.  On the other hand,
PGP's loose semantics, while pretty good for the original applications,
aren't always enough to develop automated tools taking advantage of
the information about business relationships encoded in the certs,
and it's valuable to explore further specification to help 
building tools, as well as to help describe the formal out-of-band
relationships that certs are used for.

Bill Stewart, bill.stewart@pobox.com
PGP Fingerprint D454 E202 CBC8 40BF  3C85 B884 0ABE 4639