[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [IETF-PKIX] NO SUBJECT

To: IETF-PKIX@xxxxxxxxxxxxxxxx
Subject: Re: [IETF-PKIX] NO SUBJECT
From: Russ Housley <housley@xxxxxxxxxx>
Date: Thu, 18 Dec 1997 12:34:44 -0500
In-reply-to: <>
Reply-to: "IETF X.509-based public key infrastructure mailing list" <IETF-PKIX@xxxxxxxxxxxxxxxx>
Sender: "IETF X.509-based public key infrastructure mailing list" <IETF-PKIX@xxxxxxxxxxxxxxxx>

Mack:

I understand your issues, and in the banking community, there may be very
limited corss certification.

I was simply trying to point out that the issuance of a cross certificate
from CA_a to CA_b need not cause every certificate issued by CA_b become
valid to the community that consider CA_a to be a trusted root.  If there
is an easily identified subset of CA_b's community and CA_a trusts CA_b
correctly validate the membership in that subset, then cross certification
is an appropriate mechanism.  Trust is the center of this issue.  You
correctly point out that bankers like to minimize the number of people (and
orgianizations) that they need to trust.  It greatly simplifies the risk
analysis and risk management.

Russ

At 01:43 PM 12/17/97 -0800, Mack Hicks wrote:
>For: IETF-PKIX Mailing list
>
>From: "Russ Housley"<housley@spyrus.com>
>
>> Mike:
>>
>>This is not necessarily so.  The use of extensions can limit the scope of
>>the "tree" that becomes valid as a result of cross-certification.  For
>>example, name constraints could result in a small subset of the
>>certificates issued by a CA being considered valid in the context path that
>>includes a cross certificate.
>>
>>Russ
>
>Russ,
>
>I have to voice my agreement with Mike that cross-certification
>is not manageable (technical banking term - "scary".))
>
>An example, the trusted relationships between UNIX nodes.  One can
>make the point that the Rhost kind of trust is similar to the
>cross-certification model.  Rhost type of trust has done nothing
>but get lots of people into lots and lots of trouble.
>
>Cross certification may look OK to field commanders in military
>applications.  Ya know -"Well that's Sam's group - he and I
>played hockey together - Let's trust those guys."
>
>Some people think banks trust each other through their Am Bnks Ass
>number (like on the checks).  Anyone who has gotten a bounced check
>knows this is not the case.  Knowing the "naming" and "addressing"
>(name constraints!) does not increase the level of trust.
>
>Keeping naming constraints current - or even manageable - is the
>full time task for lots of people in the mainframe world.
>Keeping that trust (usually in one place - like RACF or ACF2)
>is a full time job that often goes horribly wrong.
>
>
>So, for financial transactions, we are left with on-line status
>verification.  Is there any bank out there that wants to cross
>certify? With whom?
>
>-   -    -    -    -    -    -    -    -    -    -    -    -
>Mack Hicks (415) 278-7230  -- Interactive Banking Division
>425 1st St m/s3671, SF CA 94105 <Mack.Hicks@BankAmerica.com>
>

References:
- [IETF-PKIX] NO SUBJECT
  - From: Mack Hicks

Prev by Date: [IETF-PKIX] How's Business ?
Next by Date: [IETF-PKIX] Defintion of terms
Previous by thread: [IETF-PKIX] NO SUBJECT
Next by thread: Re: [IETF-PKIX] NO SUBJECT
Index(es):
- Date
- Thread