[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Missing Protocol ?

To: ietf-pkix@xxxxxxx
Subject: Re: Missing Protocol ?
From: "David P. Kemp" <dpkemp@xxxxxxxxxxxxxx>
Date: Fri, 14 Apr 2000 13:25:23 -0400 (EDT)
Reply-to: "David P. Kemp" <dpkemp@xxxxxxxxxxxxxx>

> From: Denis Pinkas <Denis.Pinkas@bull.net>
> > From: Ed Gerck
> > Here, in PKIX, the main purpose of a CA is also to bind a public key to the name
> > contained in the certificate and thus assure third parties that some measure of care
> > was taken to ensure that this binding is valid for both -- i.e., name and key. However,
> > the issue whether a user's DN actually corresponds to identity credentials that are
> > *globally* linked to a person, or to a local alias or, simply to an e-mail address -- and
> > how such association was verified --   is  outside the scope of PKIX and depends
> > on each CA's CPS.
> 
> I am not sure that this is really outside the scope of PKIX. If some
> judge would like to make the difference between John Smith 22 and
> John Smith 23, what can he do ? Nothing that has been standardized
> today. :-(  In PKIX we currently do not offer any solution. Maybe we
> should ? What kind of solution ? Being able to get back (when
> appropriate) the registration information (sometimes called the
> credentials) that has been registered at the time of registration by
> the RA. I do not think that it may be practical to get that
> information by paper and in a different format for every CA in the
> world. A protocol (and a schema) might be useful.
> 
> Denis


Denis,

As long as CPSs are different, the "big identity in the sky" (the
information about a subject which makes John Smith 22 different from
John Smith 23) will be different, and outside the scope of PKIX.  If
the judge has access to a certain body of information:  employment and
credit history, property ownership and tax records, utility bills, etc,
and the CA has used any of that information to establish identity, then
the certificate may be useful to the judge.  If the CA uses only email
address to establish "identity", the certificate will be useless to a
judge dealing in non-electronic matters.  I don't see how PKIX could
consider in-scope an effort to develop a schema for the universe
of information which could constitute a human identity.

Dave

Follow-Ups:
- Re: Missing Protocol ?
  - From: Ed Gerck

Prev by Date: Re: Global unique identifier
Next by Date: Re: Missing Protocol ?
Previous by thread: pki product report
Next by thread: Re: Missing Protocol ?
Index(es):
- Date
- Thread