RE: Cert comparison needs AI?

[Anders Rundgren <anders.rundgren@xxxxxxxxxx>]

Stefan,

>It means that when you form an application, you have to handle this with
>care and make sure that the application don't produce missleading results.

Noop. In the absence of defined semantics, this property or quality MUST be a part
of a valid QC CPS.   The German (QC sample?) CPS must state that you can't compare
German QCs (or do it on your own risk) while the Swedish and Finnish ID-card programs
guarantee that you can trust the static unique ID as being the sole attribute to
compare (after you have detected that the cert really is belonging to these domains).

Note: computer do not "care".  They run algorithms based on a usually limited set of rules.

If the governing humans do not know how to express the rules, the programmers making applications
are likely to fail as well.  As programmers also are humans.  

/anders



/Stefan

> -----Original Message-----
> From: Anders Rundgren [mailto:anders.rundgren@jaybis.com]
> Sent: Sunday, February 13, 2000 13:50
> To: Magnus (RSA); ietf-pkix@imc.org; Stefan Santesson
> Subject: QC: Cert compariosion needs AI?
>
>
> Guys,
>
> >From section 4 security:
>
>    >Comparing two qualified certificates to determine if they
> represent
>    >the same physical entity may provide misleading results
> and should be
>    >performed with care.
>
> Since the relying party is in most cases is a server-computer
> I would be happy to get
> the Java source code for "performed with care".  :-) :-) :-)
>
> Of course a slippery statement like that is not even worth
> the paper it is written on.
> In the "real" world we need down-to-earth solutions which
> means that all this
> is currently completely out of the draft.
>
> Anders
>