[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Certificate Policies (addenda)

To: lynn.wheeler@xxxxxxxxxxxxx
Subject: Re: Certificate Policies (addenda)
From: lynn.wheeler@xxxxxxxxxxxxx
Date: Thu, 13 Mar 2003 14:41:06 -0700
Cc: Al Arsenault <awa1@xxxxxxxxxxx>, ietf-pkix@xxxxxxx, Margus Freudenthal <margus@xxxxxxxx>, owner-ietf-pkix@xxxxxxxxxxxx
List-archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-id: <ietf-pkix.imc.org>
List-unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
Sender: owner-ietf-pkix@xxxxxxxxxxxx


note something related was discussed in sci.crypt regarding certification
of quality:
http://www.garlic.com/~lynn/2003d.html#71 SSL/TLS DHE suites and hsort
exponents

aka CA basically certifies the validity of some assertion in the
certificate. there has been little or no activity in the area of quality.
One is tempted to mention the joke in risks forum this week about the
person lost in a ballon
http://catless.ncl.ac.uk/Risks/22.63.html

we had been somewhat involved in the most prevalent certification in the
world today ... aka SSL domain name certificates for e-commerce:
http://www.garlic.com/~lynn/aadsm5.htm#asrn2
http://www.garlic.com/~lynn/aadsm5.htm#asrn3

at the time, included having to perform due dilligence visits on the major
certification players for SSL domain name certificates for e-commerce.

we strived to get some quality issues introduced into the certification
process with no success.

a significant issue is/was that certificates are primarily a pardigm for
offline, stale, static data. Risk and trust management has been moving the
state-of-the-art to a timely, dynamic data paradigm .... and it is
trivially shown that any environment that supports timely, dynamic data
paradigm ... also supports stale, static data as a subset. It wasn't so
much that there weren't any players in the risk & trust management arena
.... is was that they had just about all moved into a timely, dynamic data
paradigm. While it is possible to proove that a infrastructure that
involves timely, dynamic data .... can support as a subset all the
characteristics of stale, static data .... it is not possible to proove
that an offline, static, stale paradigm subsumes timely, dynamic data ....
aka in a paradigm with timely, dynamic data it is trivial to show that
offline, static, stale certificates are redundant and superfluous.

By comparison the certification authorities are just looking to certify
some assertions regarding static, stale data (usely by checking with some
totally different organization that is actually responsible for the
accuracy of the assertions).

--
Internet trivia, 20th anv: http://www.garlic.com/~lynn/rfcietff.htm

Prev by Date: Re: Certificate Policies (was Re: Trivial PKI Question)
Next by Date: Re: Certificate Policies (was Re: Trivial PKI Question)
Previous by thread: LDAP DN: "static table" v. "registry" approach discussions on the LDAPBIS list
Next by thread: Distribution Point Name Matching Rule?
Index(es):
- Date
- Thread