Re: I-D ACTION:draft-ietf-pkix-usergroup-01.txt

[Stephen Kent <kent@xxxxxxx>]

At 10:20 AM +0200 9/29/02, Anders Rundgren wrote:
> This is indeed an interesting topic...
>
> Essentially there are two ways to make certificates more adapted
> to their working environment:
>
> 1. Clobber certificates with more "stuff" to as the draft suggests
>
> 2. Use a mapping facility that maps a certificate into whatever
>     is needed by the working environment
>
> A major advantage with mapping is that you can use TTP-issued
> certificates (a.k.a. 100% outsourced PKI), and that the very same
> certificates can be used by multiple relying parties in many different
> environments.
>
> A major disadvantage with mapping is that Microsoft and probably
> most others as well, do not yet support this fundamental capability
> except to a very limited extent.  Contributing to that, is the fact that
> current PKI-standards do not offer the kind of manageble mapping
> support needed for efficient usage of TTP-issued certificates.
>
> If Microsoft and others are to upgrade their PKI support
> (which both solutions require), I really hope that they settle
> for a mapping solution.
>
> cheers,
> Anders

Another disadvantage to mapping is that it creates another 
opportunity to make errors, i.e., in mapping from the certificate 
space to the application space. the database needed to perform the 
map is an additional source of errors, or an additional attack point, 
and generally lacks the integrity afforded to certs.

Steve