[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: What is the order of certificates in a certificate chain?

To: "'David P. Kemp'" <dpkemp@xxxxxxxxxxxxxx>, ietf-pkix@xxxxxxx
Subject: RE: What is the order of certificates in a certificate chain?
From: Peter Williams <peterw@xxxxxxxxxxxx>
Date: Thu, 20 Apr 2000 19:57:30 -0700

Hi David:

Consider the following reasoning:-

A CA, in the PKIX model, may be accredited - something
that is signaled via the issuance of a cross-certificate
or similar.

If a (trusted) CA quotes such a cross-certificate during
certificate application procedures, it is
essentially representing the validity of the underlying
accreditation. A CA which quoted a revoked
accreditation cross-certificate would
be likely acting in a manner which is a mis-representation
of fact, surely.

If a building contractor came to your house,
presented an official and legally-recognised
paper license to do electrical work, and you subsequently 
determine that the license had been revoked in
the license registry prior to presentation of the
paper during contract negotiation, would you not feel a 
simple mis-representation had occured?

Could a regulator not punish that contractor for
not suspending licensed work - and/or falsely
imputing a licensed standing?

I would think that a best practices Internet CA has 
a simple professional if not a legal duty to ensure that
it does not provide false information to a subscriber 
during CMP; especially information that might prejudice 
the determination of that subscriber when establishing 
the initial accuracy of a certificate that will bind 
him/her at NR grade of proof - following formal 
acceptance of that certificate.

----

-----Original Message-----
From: David P. Kemp [mailto:dpkemp@missi.ncsc.mil]
Sent: Thursday, April 20, 2000 8:32 AM
To: ietf-pkix@imc.org
Subject: RE: What is the order of certificates in a certificate chain?



> From: Peter Williams <peterw@valicert.com>
> 
> Does a CA who sends such certificates to a user
> bear responsibility for the current, individual reliability
> of any certificate is sends? I.e.
> can one assume that the subscriber's CA has just checked the 
> certs' non-revoked status, or the provider's contiuing
> accreditation certificate status, under the CA domain's or 
> another regulators governing policy, prior to inducing others 
> to use or rely on those certificates.
> 
> Surely, by virtue of supplying CA certifificates to a subscriber
> at such a critical juncture one is performing an authoritative,
> legal introduction to the entites bound to the public keys?


Surely, one is not.  The bag-o'-certs is *nothing* more than a
pile of information that may save the subscriber the effort of
looking them up in a directory or elsewhere.  It is entirely
up to the subscriber to choose a trust anchor and validate all
certs from that anchor.  If one or more provided certs cannot
be so validated, I don't see how they can be regarded as
"introduced" or "considered reliable by a TTP-grade CA".

What, precisely, is a subscriber supposed to do with intermediate
(non-self-signed) certificates which have been "introduced" by a CA?

Dave

Prev by Date: Re: Missing Protocol ?
Next by Date: RE: What is the order of certificates in a certificate chain?
Previous by thread: CA process
Next by thread: RE: What is the order of certificates in a certificate chain?
Index(es):
- Date
- Thread