[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Legal entities who sign

To: jimit@xxxxxxxxxxx, anders.rundgren@xxxxxxxxx, ietf-pkix@xxxxxxx, jap@xxxxxxxxxxxxxxx, r.galli@xxxxxxxxxxx
Subject: RE: Legal entities who sign
From: malek.bechlaghem@xxxxxxxxxxx
Date: Mon, 4 Nov 2002 11:28:33 +0100
List-archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-id: <ietf-pkix.imc.org>
List-unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
Sender: owner-ietf-pkix@xxxxxxxxxxxx

Jimi,

There is a profile for certification authorities issuing public key certificates and qualified certificates. Such profiles are based on RFC 2459 and are compliant with the european directive on electronic signature. I has also to be noted that country's internal laws on electroic signatures shall also comply with the requirements of the european directive.

So IMHO, i think that whether it has to be a commercial or governmental authority is of no worth if the corresponding authority doesn't comply with the country law and directives governing the issuiance of PK certificates and electronic signatures.

Anders,

I find very elegant the idea of using X509 certificates to express and implement "Legally signing certifificates" but where are we hence from the terms "signature policy", "committment textes", that where suggnested as a mean to define particular legal and contractual contexts? Does this mean that the certificate policy under which you issue "legally signing certificates" will stand for and replace the "signature policy"?

IMHO, i still think that the most important issue that still need to be resolved is an elegant, easy and standard mean to implement the "delegated signing capabilities".

Best regards,

malek.

-----Original Message-----
From: Jimi Thompson [mailto:jimit@xxxxxxxxxxx]
Sent: 04 November 2002 03:31
To: Anders Rundgren; ietf-pkix@xxxxxxx; J Adrian Pickering; Ing.
Raffaello Galli
Subject: Re: Legal entities who sign



Anders and others,

I tend to agree with you.  There needs to be a legally and probably
governmentally recognized issuing body for the certificates, for a couple of
reasons.  First off, it will halt any squabbling over who the ultimate CA is
going to be.  I also think that this responsibility should move away from
commercial CA's since they have a financial incentive to issue as many certs
as possible and not that much incentive for verification.  In addition, I
find that the fees that they charge are quite high and might prohibit
participation from certain areas of the world.  I think that the Post Office
is probably fairly wise since they tend to be highly physically available in
most parts of the world.   I think that the only thing that's really missing
is a DNS-like standard which would allow verification of authenticity,
parameters of validity, or revocation.

Another 2 cents,

Jimi Thompson

**** DISCLAIMER **** 
"This e-mail and any attachments thereto may contain information 
which is confidential and/or protected by intellectual property 
rights and are intended for the sole use of the recipient(s) named above. 
Any use of the information contained herein (including, but not limited to, 
total or partial reproduction, communication or distribution in any form) 
by persons other than the designated recipient(s) is prohibited. 
If you have received this e-mail in error, please notify the sender either 
by telephone or by e-mail and delete the material from any computer. 
Thank you for your cooperation."

Prev by Date: RE: Criticality and SCVP Extensions
Next by Date: Re: I-D ACTION:draft-ietf-pkix-cvp-01.txt
Previous by thread: Re: Legal entities who sign
Next by thread: Tim Polk. You out there? I need an agenda slot.
Index(es):
- Date
- Thread