[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [IETF-PKIX] Multiple certificates for same key?
Stefan,
At 06:34 PM 3/2/98 +0100, you wrote:
>Folks,
>
>I haven't had the time to browse through all the different latest drafts, I'm
>afraid. Having had some discussions concerning the German digital signature
>law, however, a question occured to me: Is a CA allowed to issue two (or
>more) certificates for a single end-entity's public key? If yes, this could
>lead to big problems, especially in terms of liability of the CA. If
>not, shouldn't this be specified somewhere?
Could you expand on the liability issues you mention regarding the issuance of
differing certificates for the same public key? From a layman's point of
view,
of course a CA could get into trouble issuing arbitrary certificates on a
given
end-user's public key. But, for the sake of argument, if I want the same key
to be certified by a CA in two distinct certificates, both of which contain
data that identifies me (in different ways, for different reasons,) then it
seems to be up to the relying party to check if there is a valid certificate
for that key, suitable for their purposes of identification. (Apologies for
naive view and tortured sentence structure.)
Here is a related question (and perhaps more likely desired) : Can I ask a CA
to certify 10 keys, in 10 certificates, all of which attest to identical info?
(modulo certificate id, or course.) My thought is, I want to use my keys very
sparingly, cycling through them so to thwart marketeers attempting to trace my
habits. This presupposes that I, the cert-owner, control the cert that I
point
the relying party to use.
Thoughts?
Tony Bartoletti LL
SPI-NET GURU LL LL
Computer Security Technology Center LL LL LL
Lawrence Livermore National Lab LL LL LL
PO Box 808, L - 303 LL LL LLLLLLLL
Livermore, CA 94551-9900 LL LLLLLLLL
email: azb@llnl.gov phone: 510-422-3881 LLLLLLLL