[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Certificate Policies (was Re: Trivial PKI Question)
Although I'm not implementing or planning to implement certificate
policy support, I would like to make some points from programmer's point
of view.
Steve Hanna wrote:
>
> > - What does separate CA networks mean more than multiple keys
> > (which should be piece of cake if you have proper CA SW)?
>
> This is the system currently used by most commercial CAs.
> They typically have a separate root CA for each class of
> certificates (certificate policy). This root CA may certify
> subordinate CAs, which are also typically separated by class
> of certificate. Not only do you need a separate key pair
> for each class of certificate, you typically use a different
> CA name and have a separate set of CRLs. And, of course, the
> number of trust anchors in relying party software increases
> by a factor equal to the number of policies.
>
* Certificate policy is also trust anchor, just like CA key (in fact,
all information that is used as input to certificate verification
procedure (besides cert chain itself) is trust anchor). In one case you
have to rely on several CA keys, in the other case you have one CA key
and several policy identifiers.
* When using multiple CA-s, what prevents you from issuing multiple
certificates to the same key?
--
Margus