Re: I-D ACTION:draft-ietf-pkix-usergroup-01.txt

["Anders Rundgren" <anders.rundgren@xxxxxxxxx>]

This is indeed an interesting topic...

Essentially there are two ways to make certificates more adapted
to their working environment:

1. Clobber certificates with more "stuff" to as the draft suggests

2. Use a mapping facility that maps a certificate into whatever
    is needed by the working environment

A major advantage with mapping is that you can use TTP-issued
certificates (a.k.a. 100% outsourced PKI), and that the very same
certificates can be used by multiple relying parties in many different
environments.

A major disadvantage with mapping is that Microsoft and probably
most others as well, do not yet support this fundamental capability
except to a very limited extent.  Contributing to that, is the fact that
current PKI-standards do not offer the kind of manageble mapping
support needed for efficient usage of TTP-issued certificates.

If Microsoft and others are to upgrade their PKI support
(which both solutions require), I really hope that they settle
for a mapping solution.

cheers,
Anders

========================================================
    Entities, here denoting individuals and organizations, using the Internet
    for handling sensitive information or performing critical transactions,
    need simple, low-cost, universal, unambiguous, non-forgeable, securely
    multipliable, revocable and renewable "digital handles" to themselves, 
    preferable issued by globally recognized, trusted third parties
========================================================