[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
CA process
- To: pkix ML <ietf-pkix@xxxxxxx>
- Subject: CA process
- From: Akihiro Takahashi <ah-takahashi@xxxxxxxxxxxx>
- Date: Tue, 25 Apr 2000 09:45:49 +0900
- Organization: KCOM MilliCent Project Dept. 03-3243-11
25
- References: <>
Dear Sirs,
Now we are try to make a study for CA business operation procedure
in detail. Is there any mailing list for CA business? Or does anyone
suggest me for how to study it. Cause we would like to start CA
business in Japan!
"David P. Kemp" wrote:
>
> > From: Peter Williams <peterw@valicert.com>
> >
> > Does a CA who sends such certificates to a user
> > bear responsibility for the current, individual reliability
> > of any certificate is sends? I.e.
> > can one assume that the subscriber's CA has just checked the
> > certs' non-revoked status, or the provider's contiuing
> > accreditation certificate status, under the CA domain's or
> > another regulators governing policy, prior to inducing others
> > to use or rely on those certificates.
> >
> > Surely, by virtue of supplying CA certifificates to a subscriber
> > at such a critical juncture one is performing an authoritative,
> > legal introduction to the entites bound to the public keys?
>
> Surely, one is not. The bag-o'-certs is *nothing* more than a
> pile of information that may save the subscriber the effort of
> looking them up in a directory or elsewhere. It is entirely
> up to the subscriber to choose a trust anchor and validate all
> certs from that anchor. If one or more provided certs cannot
> be so validated, I don't see how they can be regarded as
> "introduced" or "considered reliable by a TTP-grade CA".
>
> What, precisely, is a subscriber supposed to do with intermediate
> (non-self-signed) certificates which have been "introduced" by a CA?
>
> Dave