Re: Certificate Policies

[Richard Levitte - VMS Whacker <levitte@xxxxx>]

In message <> on Thu, 13 Mar 2003 08:04:48 +0100, "Anders Rundgren" <anders.rundgren@xxxxxxxxx> said:

anders.rundgren> 
anders.rundgren> Steve,
anders.rundgren> As PKI is too complex not only for IS-departments, but
anders.rundgren> even for [all of] us who claim we are experts on the subject,
anders.rundgren> I only take out one item, although a "favorite" :-)
anders.rundgren> 
anders.rundgren> >> - What do these policies imply (function:
anders.rundgren> >>   web-server/e-mail or legal: hi-value/lo-value)?
anders.rundgren> >>   This is IMO a pretty broken part of  policy
anders.rundgren> >>   extensions.  And very hard to "repair" as well

A policy implies what is written in it (in the CP and the CPS).
There's nothing in a policy OID that can tell you what the function or
the legality of the policy is, you have to read the documents and
decide that for yourself accordingly.

The way I see it, it's not much different from reading the license
that comes with a program, be it the Microsoft EULA, the GPL or
whatever...  Or you might parallell it to contracts, if you feel
better about that.  Either way, you have to read them to know what
they imply, no software in the world will do that for you.

It seems like you want the implication of a contract (in this case,
certificate policies) to be determined programatically.  I believe
that's a mistake.

anders.rundgren> Regardless of what I think of policy extensions I
anders.rundgren> would never mix information that does not belong to
anders.rundgren> each other.  This is semantic overloading (AKA
anders.rundgren> "smart" coding).  It _seems_ like a revision in
anders.rundgren> "legal" would affect "function" as well, as they are
anders.rundgren> expressed as a single object.   This is what I, while
anders.rundgren> wearing my system architect cap, would characterize
anders.rundgren> as "broken beyond repair".

Uhmm, to reuse the license or contract model, they are also documents
that combine function and legality.  Are they also broken beyond
repair?

But fine, I've no problem seeing having to write a legal document and
a functional document if it came down to that.  What makes you think
I'd not have them constantly combined in whatever certificate I decide
to create, more or less as if they were a single document?  Also, what
are the implications for such a scheme when validating a certificate?
Currently, all policies along the path are regarded as single entities
that may apply alone with no regard for the other policies that may
appear on the way.  If combined policies became the thing to do, how
would validation software know what policies should be kept combined?
And oh, are those combinations only pairs, or can we have combinations
of three policy documents?  As you can see, this leads to another can
of worms, and I doubt that's what you wanted, so I'll assume I
misunderstand you and let you explain what you were thinking...

-- 
Richard Levitte     | http://richard.levitte.org/ | Spannv. 38, I
Levitte Programming | http://www.lp.se/           | S-168 35 Bromma
T: +46-708-26 53 44 |                             | SWEDEN
     "Price, performance, quality...  choose the two you like"