[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Certificate Policies (was Re: Trivial PKI Question)

To: "Steve Hanna" <steve.hanna@xxxxxxx>
Subject: Re: Certificate Policies (was Re: Trivial PKI Question)
From: "Anders Rundgren" <anders.rundgren@xxxxxxxxx>
Date: Wed, 12 Mar 2003 07:19:59 +0100
Cc: "Santosh Chokhani" <chokhani@xxxxxxxxxxxx>, <chris.gilbert@xxxxxxxxxxxxx>, <ietf-pkix@xxxxxxx>
List-archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-id: <ietf-pkix.imc.org>
List-unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
References: <> <> <> <3E6E60C0.C2A98A10@sun.com>
Sender: owner-ietf-pkix@xxxxxxxxxxxx

Hi Steve,
there is no reason to get excited :-)

>The method you described (having a separate CA network
>for each policy) is cumbersome. So, yes, I do think we
>should work on getting support for certificate policies
>into relying party software.

I know little about the systems that you indirectly refer to, but
may I put some questions here?

- What does separate CA networks mean more than multiple keys
  (which should be piece of cake if you have proper CA SW)?

- What do these policies imply (function: web-server/e-mail or
  legal: hi-value/lo-value)? This is IMO a pretty broken part
  of  policy extensions.  And very hard to "repair" as well

- How does these guys plan to communicate outside of their
  tightly matched (unique) system?

>> X.509 Attribute certificates have also been touted as an
>> important addition to PKI technology.  I don't think even the
>> authors believe that anymore.  At least not in private.

>Stop taking unsupported potshots at other technology.

You want more proofs?  Ok, here is some (see attribute cert):
   http://www.imc.org/ietf-pkix/mail-archive/msg05855.html
An AC author's disillusioned view: 
  http://www.imc.org/ietf-pkix/mail-archive/msg05195.html

Regarding the "ad hominem attack" on the US GOV PKI programs:
In case you are interested in how you can reduce the need for
building systems constituting of:
- Tightly matched private (or community-based) X.500 directories
- Bridge CAs
- Policy extensions as a part of client software

The following are the cornerstones of such an alternative system.
- Communicate only through nodes using "authority stamp signatures".
  Eliminates person-to-person PKI on the client level completely
- Use SAML for intranet access.  Directories only support tree-
  shaped "boring" information, the intranet supports anything

If you look in "server-PKI" in the aforementioned rationale
there is an almost unbearable amount of additional information
on this topic :-)

To get rid of directories, I believe is a major issue for
successful PKI adaption.  Phill H-B, P Gutman agrees to that as
well.  As the directory is the center of most (not the Swedish
one actually) public sector PKI programs, I think we have a
"little" problem in the making here.

Regards
Anders

Follow-Ups:
- Re: Certificate Policies (was Re: Trivial PKI Question)
  - From: Steve Hanna

References:
- RE: Certificate Policies (was Re: Trivial PKI Question)
  - From: Santosh Chokhani
- Re: Certificate Policies (was Re: Trivial PKI Question)
  - From: Steve Hanna
- Re: Certificate Policies (was Re: Trivial PKI Question)
  - From: Anders Rundgren

Prev by Date: Re: RFC 3039 problems - Was: Re: The IETF 56 - PKIX Agenda
Next by Date: Re: RFC 3039 problems - Was: Re: The IETF 56 - PKIX Agenda
Previous by thread: Re: Certificate Policies (was Re: Trivial PKI Question)
Next by thread: Re: Certificate Policies (was Re: Trivial PKI Question)
Index(es):
- Date
- Thread