[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Missing Protocol ?

To: "David P. Kemp" <dpkemp@xxxxxxxxxxxxxx>
Subject: Re: Missing Protocol ?
From: tgindin@xxxxxxxxxx
Date: Fri, 14 Apr 2000 16:06:03 -0400
Cc: ietf-pkix@xxxxxxx

     I don't think that anyone is proposing "an effort to develop a schema
for the universe of information which could constitute a human identity".
At least I hope not :-(
     What I, at least, am proposing is a mechanism by which identifiers
which were assigned by a known identified organization can be represented
in a GeneralName, in such a way that an RP can tell who is the assignment
authority for the identifier.  The cases where the assignment authority is
a government agency or the issuing CA are of special importance.  Some may
consider this out of scope for PKIX, but it is certainly not more complex
or unworkable than the existing DN arrangement.
     The fields that would actually be used in this way are likely to
include things like employee identifications.  "John Smith who has been
General Motors employee 356789" is a much more definitive identifier than
"John Smith" or even "John Edward Smith from Michigan who works for GM".

          Tom Gindin

"David P. Kemp" <dpkemp@missi.ncsc.mil> on 04/14/2000 01:25:23 PM

Please respond to "David P. Kemp" <dpkemp@missi.ncsc.mil>

To:   ietf-pkix@imc.org
cc:
Subject:  Re: Missing Protocol ?




> From: Denis Pinkas <Denis.Pinkas@bull.net>
> > From: Ed Gerck
> > Here, in PKIX, the main purpose of a CA is also to bind a public key to
the name
> > contained in the certificate and thus assure third parties that some
measure of care
> > was taken to ensure that this binding is valid for both -- i.e., name
and key. However,
> > the issue whether a user's DN actually corresponds to identity
credentials that are
> > *globally* linked to a person, or to a local alias or, simply to an
e-mail address -- and
> > how such association was verified --   is  outside the scope of PKIX
and depends
> > on each CA's CPS.
>
> I am not sure that this is really outside the scope of PKIX. If some
> judge would like to make the difference between John Smith 22 and
> John Smith 23, what can he do ? Nothing that has been standardized
> today. :-(  In PKIX we currently do not offer any solution. Maybe we
> should ? What kind of solution ? Being able to get back (when
> appropriate) the registration information (sometimes called the
> credentials) that has been registered at the time of registration by
> the RA. I do not think that it may be practical to get that
> information by paper and in a different format for every CA in the
> world. A protocol (and a schema) might be useful.
>
> Denis


Denis,

As long as CPSs are different, the "big identity in the sky" (the
information about a subject which makes John Smith 22 different from
John Smith 23) will be different, and outside the scope of PKIX.  If
the judge has access to a certain body of information:  employment and
credit history, property ownership and tax records, utility bills, etc,
and the CA has used any of that information to establish identity, then
the certificate may be useful to the judge.  If the CA uses only email
address to establish "identity", the certificate will be useless to a
judge dealing in non-electronic matters.  I don't see how PKIX could
consider in-scope an effort to develop a schema for the universe
of information which could constitute a human identity.

Dave

Prev by Date: Re: Missing Protocol ?
Next by Date: Re: Missing Protocol ?
Previous by thread: Re: Missing Protocol ?
Next by thread: Re: Missing Protocol ?
Index(es):
- Date
- Thread