Re: Certificate Policies (was Re: Trivial PKI Question)

["Anders Rundgren" <anders.rundgren@xxxxxxxxx>]

Steve,
As PKI is too complex not only for IS-departments, but
even for [all of] us who claim we are experts on the subject,
I only take out one item, although a "favorite" :-)

>> - What do these policies imply (function: web-server/e-mail or
>>   legal: hi-value/lo-value)? This is IMO a pretty broken part
>>   of  policy extensions.  And very hard to "repair" as well

>As RFC 2527 and X.509 say, a certificate policy typically
>"indicates the applicability of a certificate to a particular
>community and/or class of application with common security
>requirements." Among other things, it might say what applications
>the certificate can be used for or what warranties are provided.
>So both "function" and "legal", in your terms.

>Could you elaborate on why you think this is broken?

Regardless of what I think of policy extensions I would
never mix information that does not belong to each other.
This is semantic overloading (AKA "smart" coding).
It _seems_ like a revision in "legal" would affect "function"
as well, as they are expressed as a single object.   This is
what I, while wearing my system architect cap, would
characterize as "broken beyond repair". 

If I'm wrong here please pardon me, I do not claim to be
an expert in _this_ particular area of PKI.

Anders