[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Missing Protocol ?

To: "David P. Kemp" <dpkemp@xxxxxxxxxxxxxx>, "ietf-pkix@xxxxxxx" <ietf-pkix@xxxxxxx>
Subject: Re: Missing Protocol ?
From: Ed Gerck <egerck@xxxxxxx>
Date: Fri, 14 Apr 2000 10:41:33 -0700
References: <>

Dave:

Yes and to your final paragraph.  A new WG would be needed -- otherwise
this WG would need to backtrack so much that nothing would be left ;-)
OTOH, with a new WG then what this WG has done might be a *component*
in a bigger frame, and a useful one.

Cheers,

Ed Gerck

"David P. Kemp" wrote:

> > From: Denis Pinkas <Denis.Pinkas@bull.net>
> > > From: Ed Gerck
> > > Here, in PKIX, the main purpose of a CA is also to bind a public key to the name
> > > contained in the certificate and thus assure third parties that some measure of care
> > > was taken to ensure that this binding is valid for both -- i.e., name and key. However,
> > > the issue whether a user's DN actually corresponds to identity credentials that are
> > > *globally* linked to a person, or to a local alias or, simply to an e-mail address -- and
> > > how such association was verified --   is  outside the scope of PKIX and depends
> > > on each CA's CPS.
> >
> > I am not sure that this is really outside the scope of PKIX. If some
> > judge would like to make the difference between John Smith 22 and
> > John Smith 23, what can he do ? Nothing that has been standardized
> > today. :-(  In PKIX we currently do not offer any solution. Maybe we
> > should ? What kind of solution ? Being able to get back (when
> > appropriate) the registration information (sometimes called the
> > credentials) that has been registered at the time of registration by
> > the RA. I do not think that it may be practical to get that
> > information by paper and in a different format for every CA in the
> > world. A protocol (and a schema) might be useful.
> >
> > Denis
>
> Denis,
>
> As long as CPSs are different, the "big identity in the sky" (the
> information about a subject which makes John Smith 22 different from
> John Smith 23) will be different, and outside the scope of PKIX.  If
> the judge has access to a certain body of information:  employment and
> credit history, property ownership and tax records, utility bills, etc,
> and the CA has used any of that information to establish identity, then
> the certificate may be useful to the judge.  If the CA uses only email
> address to establish "identity", the certificate will be useless to a
> judge dealing in non-electronic matters.  I don't see how PKIX could
> consider in-scope an effort to develop a schema for the universe
> of information which could constitute a human identity.
>
> Dave

Follow-Ups:
- Re: Missing Protocol ?
  - From: Roger Younglove

References:
- Re: Missing Protocol ?
  - From: David P. Kemp

Prev by Date: Re: Missing Protocol ?
Next by Date: RE: Global unique identifier
Previous by thread: Re: Missing Protocol ?
Next by thread: Re: Missing Protocol ?
Index(es):
- Date
- Thread