From owner-spki@c2.net Thu May 27 12:35:30 1999 Received: from blacklodge.c2.net (blacklodge.c2.net [140.174.185.245]) by lox.sandelman.ottawa.on.ca (8.8.7/8.8.8) with ESMTP id MAA16501; Thu, 27 May 1999 12:35:29 -0400 (EDT) Received: (from majordom@localhost) by blacklodge.c2.net (8.8.8/8.7.3) id IAA06752 for spki-outgoing; Thu, 27 May 1999 08:47:50 -0700 (PDT) Message-ID: <374D6842.E9CC01DB@netscape.com> Date: Thu, 27 May 1999 08:44:02 -0700 From: thayes@netscape.com (Terry Hayes) X-Mailer: Mozilla 4.51 [en] (Win98; U) X-Accept-Language: en MIME-Version: 1.0 To: Denis Pinkas CC: Stephen Kent , "Ellison, Carl M" , ietf-pkix@imc.org, spki@c2.net Subject: Re: X.509 ACs vs. SPKI? References: <374D3362.C62C21D5@bull.net> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-spki@c2.net Precedence: bulk Denis Pinkas wrote: > Steve, > > I have a comment on this E-mail. > > > Carl, > > > > I agree that the only safe way to bind an attribute cert to an identity > > cert is via the public key hash. That's what I always recommend to my > > clients. > > I wonder if it is a good recommendation. :-( This may be appropriate in some > contexts but not in general. > > A user may have two public key certificates with two different names but with > the same public key. In that case it is not always possible to know with which > of the two certificates the AC is associated. I believe that this is the point. The AC would be associated with the key, not with any specific certificate. Yes, that means there is no published expiration time for the key, no way to check revocation (except perhaps with the keyholder), and no way to associate a global name with it. The last time I checked, it was still possible to use key pairs without having a certificate associated with them! :) Validity time, and revocation services would only apply to the AC itself it this environment. Terry