>Yes, this implicit limit on the meaning of the word "certificate" >is what we are talking about. Belts-and-suspenders (i.e. security in depth) is >precisely what I believe in. Subtle difference in declarative semantic models here are matters of belief, and its obviously religious. Bits are no use for conveying these matters. Its unlikely the PKIX entire world will adopt a single religion. There are those who believe in one good practice over another as critical to some degree or other. Here is what we do, I suggest: Let CA operators assert the practices they follow via the certificate policy id fields, and let consumers choose to rely, or not, based on that explicit disclosure, and their trust in the CA for conforming to the disclosed operating regulations. If we agreed on this, then: split the disclosure in two parts: A) certificate policy identifier OID for CA specific matters documented in its CPS; B) PKIX std qualifier - required to be attached to any certificate representing its issuer is wishing to claim technical conformance to PKIX, be this to type X (1) or type Y (2) regime as signaled in the qualifier value indicated. A mainstream public-service CPS can be expected to enable the operator of a CA to legally stand behind a type X/Y technical claim to users or relying parties, and the presence of such disclosures is precisely the sort of things used to distinguish between CA service offerings, based on a party's analysis of that disclosure, or a positive recommendation of a credible other.
Attachment:
smime.p7s
Description: application/pkcs7-signature