AC Scenarios - PULL model

["Anders Rundgren" <anders.rundgren@xxxxxxxxx>]

Steve,

> I promised to think more about which Holder format makes the most sense
> when an ODI with PK hash is included (formats 4, 6, 8, or 10).
> 
> This got me to thinking about how ACs are going to be used with Internet
> protocols. In particular, I was wondering when it will be important to
> include hints (entityName and/or baseCertificateID) with an
> objectDigestInfo. I decided to describe and analyze all of the important
> circumstances under which ACs would be used with existing Internet
> protocols (since that is our primary area of concern). Here is the list
> of scenarios that I came up with:

> I'd appreciate feedback from others on these scenarios.

I think your exposition of Internet Protocols and ACs was very interesting.
However, I see some problems (maybe due to lack of knowledge) with
the PULL model in general:

If we are talking Internet Protocols I guess we should try to decide if
we are addressing closed PKIs (or closed environments), or the open net
with many parties of different trustworthiness and longevity.

If we are in a closed ("trusted") environment, AC-like information can be gathered by several
means including directories.  This is an established way of doing things.

Now, if we instead say that ACs using the PULL model and TLS should be used
for extranet access we face an AC repository "URL" configuration (and access right)
problem as AFAIK there is no straight-forward way of finding this information in the PKC.
Particularly not if the AA is disjunct from the CA.

Conclusion: Solving the AC-PKC binding issue(s) is just one part of the AC puzzle.

Regards
Anders R