[IETF-PKIX] NO SUBJECT

[Mack Hicks <Mack.Hicks@xxxxxxxxxxxxxxx>]

For: IETF-PKIX Mailing list

From: "Russ Housley"<housley@spyrus.com>

> Mike:
>
>This is not necessarily so.  The use of extensions can limit the scope of
>the "tree" that becomes valid as a result of cross-certification.  For
>example, name constraints could result in a small subset of the
>certificates issued by a CA being considered valid in the context path that
>includes a cross certificate.
>
>Russ

Russ,

I have to voice my agreement with Mike that cross-certification
is not manageable (technical banking term - "scary".))

An example, the trusted relationships between UNIX nodes.  One can
make the point that the Rhost kind of trust is similar to the
cross-certification model.  Rhost type of trust has done nothing
but get lots of people into lots and lots of trouble.

Cross certification may look OK to field commanders in military
applications.  Ya know -"Well that's Sam's group - he and I
played hockey together - Let's trust those guys."

Some people think banks trust each other through their Am Bnks Ass
number (like on the checks).  Anyone who has gotten a bounced check
knows this is not the case.  Knowing the "naming" and "addressing"
(name constraints!) does not increase the level of trust.

Keeping naming constraints current - or even manageable - is the
full time task for lots of people in the mainframe world.
Keeping that trust (usually in one place - like RACF or ACF2)
is a full time job that often goes horribly wrong.


So, for financial transactions, we are left with on-line status
verification.  Is there any bank out there that wants to cross
certify? With whom?

-   -    -    -    -    -    -    -    -    -    -    -    -
Mack Hicks (415) 278-7230  -- Interactive Banking Division
425 1st St m/s3671, SF CA 94105 <Mack.Hicks@BankAmerica.com>