[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Missing Protocol ?

To: "David P. Kemp" <dpkemp@xxxxxxxxxxxxxx>
Subject: Re: Missing Protocol ?
From: Denis Pinkas <Denis.Pinkas@xxxxxxxx>
Date: Fri, 21 Apr 2000 16:24:02 +0200
Cc: ietf-pkix@xxxxxxx
Organization: Bull
References: <>

 
> > From: Denis Pinkas <Denis.Pinkas@bull.net>
> >
> > I see no reason for this. AAs (Attributes Authorities) are not the
> > same like RAs (Registration Authorities).
> > The response comes from the RA, not an AA. In any case the use of
> > AAs is not mandated.
> 
> It's a question of assurance.  If you trust a directory, you don't need
> signed attributes.  I lean towards end-to-end security whenever
> possible, and therefore prefer the RA to sign attributes rather than
> having the directory dish out unprotected information.  If the
> authoritative RA database is available online, there is little reason
> to prefer signed over unsigned.  But as soon as the information is
> replicated, cached, passed along, or otherwise distributed, the RA's
> signature becomes helpful.  When the RA signs attributes, it becomes,
> by definition, an AA.

Certainly not. Using AC mandates a very precise data structure. So
it is not because the answer is signed that the RA becomes an AA.
Note that the RA may respond without any signature and that the
security may be provided using, e.g. TLS.

Anyway the intent is not to place that information in multiple
untrusted Directories, but to query one server (ain the same way
this is done for OCSP). The idea is to allow to locally store that
information in some data base that could be queried using LDAP. 

Regards,

Denis

> Regards,
> Dave

References:
- Re: Missing Protocol ?
  - From: David P. Kemp

Prev by Date: Re: Missing Protocol ?
Next by Date: Re: Missing Protocol ?
Previous by thread: Re: Missing Protocol ?
Next by thread: Re: Missing Protocol ?
Index(es):
- Date
- Thread