[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: X.509 ACs vs. SPKI?

Denis Pinkas wrote:

> Steve,
> I have a comment on this E-mail.
> > Carl,
> >
> > I agree that the only safe way to bind an attribute cert to an identity
> > cert is via the public key hash. That's what I always recommend to my
> > clients.
> I wonder if it is a good recommendation. :-(  This may be appropriate in some
> contexts but not in general.
> A user may have two public key certificates with two different names but with
> the same public key. In that case it is not always possible to know with which
> of the two certificates the AC is associated.

I believe that this is the point.  The AC would be associated with the key, not
with any specific certificate.  Yes, that means there is no published expiration
time for the key, no way to check revocation (except perhaps with the keyholder),
and no way to associate a global name with it.  The last time I checked, it was
still possible to use key pairs without having a certificate associated with them!

Validity time, and revocation services would only apply to the AC itself it this