Re: Certificate policy question

[Richard Levitte - VMS Whacker <levitte@xxxxx>]

In message <3DF8B663.9596C91F@xxxxxxx> on Thu, 12 Dec 2002 11:16:35 -0500, Steve Hanna <steve.hanna@xxxxxxx> said:

steve.hanna> I will add my voice to the growing crowd emphasizing that
steve.hanna> there are many good reasons to have multiple certificate
steve.hanna> policies in a single certificate (EE or CA). Sharon gave
steve.hanna> several good examples.

I know I suggested some programatic assertions, and some of them
weren't the wisest, I'll admit that.  Of course I'll follow the
RFC 3280 algorithm.

I believe that when I get started on the code I plan, I will add the
option to have warnings issued when multi-policy EE certs appear, so
the right person gets some kind of notification about that being
something to look into.  Then is the question if that option should be
enabled by default or not.  Additionally, it could be a good thing to
have the possibility to distrust certain CAs (no, I don't believe a
CRL entry is the right thing, or is there a reason code that means
"the CA made a fool of itself"?  Either way, that would also only be
possible in a mesh-type PKI, I think).
I believe such extra options is still perfectly compatible with the
RFC 3280 algorithm.  All it does is give the user of my code a level
of control over trust that can't really be handled with CRLs or other
standard means that I can recall right now.

-- 
Richard Levitte     | http://richard.levitte.org/ | Spannv. 38, I
Levitte Programming | http://www.lp.se/           | S-168 35 Bromma
T: +46-708-26 53 44 |                             | SWEDEN
     "Price, performance, quality...  choose the two you like"