[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [IETF-PKIX] Critical extensions and Policy OIDs

To: IETF-PKIX@xxxxxxxxxxxxxxxx
Subject: Re: [IETF-PKIX] Critical extensions and Policy OIDs
From: Bob Jueneman <BJUENEMAN@xxxxxxxxxx>
Date: Tue, 16 Dec 1997 11:19:13 -0700
Comments: To: mfsmith@ZIONSBANK.COM
Reply-to: "IETF X.509-based public key infrastructure mailing list" <IETF-PKIX@xxxxxxxxxxxxxxxx>
Sender: "IETF X.509-based public key infrastructure mailing list" <IETF-PKIX@xxxxxxxxxxxxxxxx>

Michael,

I think it is anyone's guess.  I don't know of anything in X.509 or in PKIX
that particularly mandates the USE of the policy OID -- it could be the ISDN
number of an unpublished manuscript which resides on the planet Vogon, for
all anyone knows.

I haven't done a recent search, but to the best of my knowledge, only
VeriSign has actually published a Certification Practice Statement, and I'm
not sure whether they intend to publish a separate Policy document in
addition, or not.

I'm not aware of any CAs that are actually including a policy OID in their
certificates to date -- if someone does know of some examples it might be
quite helpful -- maybe even a defacto practice.

Certainly the INTENT of the policy OID as I understand it was to provide
some kind of shorthand legal notice, in the form of an incorporation by
reference.

Corporate lawyers being what they are, I would expect that a Policy issued
by a CA would be long on defenses against any possible liability on their
part, and rather short on any possible defenses on the part of the
subscriber or subject, unless market demands eventually dictate such
language, or unless a particular strong customer shows up with sufficient
leverage to force particular language (same thing, I guess.)

What still isn't clear is the extent to which a policy OID constitutes a
representation or agreement between the subscriber and the CA, and/or the
extent to which such a representation by the subscriber can be relied on by
a relying party.

Seems to me that the relying party wants to know two things:  (1)  Under
what circumstances would the reliance on a digital signature verified by
reference to a particular certificate constitute a commercially UNREASONABLE
transaction, and (2) (the flip side) when would reliance on the digital
signature be considered the norm.

Hopefully the difference between these two states would be very small --
almost binary. If there is a lot of gray area in between, either the lawyers
will get rich or electronic commerce will fail to flourish (more likely the
later).

As I understand the problem, disclosure forms in banking can be enforced by
the bank, but the existence of a contract between the bank and one of its
depositors does not form the basis of a suit by some third party who does
not have contractual privity with the depositor (e.g., the subscriber).

It seems somewhat unlikely that a CA would actually assume responsibility of
the subscriber's use of the issued certs -- at best they would take
responsibility for the correct identification of the subscriber and the
binding of the subscriber's public key to the name or other attributes, but
they aren't about to get into the underwriting business -- at least under
present business model's.

Bob

>
>>>> Mike Smith <mfsmith@ZIONSBANK.COM> 12/12 9:07 AM >>>
>Bob:
>
>Isn't the policy OID referring to the CA's disclosure of practices under
which they will operate AND
>under which they assume responsibility for the subscriber's use of issued
certs?  Don't some act as
>disclosure forms as in bank lending, wherein they govern actions of the
subscribers?
>
>Michael
>
>

Prev by Date: Re: [IETF-PKIX] Terminology - Cross-Certification
Next by Date: Re: [IETF-PKIX] Critical extensions and Policy OIDs
Previous by thread: Re: [IETF-PKIX] Critical extensions and Policy OIDs
Next by thread: Re: [IETF-PKIX] Critical extensions and Policy OIDs
Index(es):
- Date
- Thread