Re: [IETF-PKIX] Multiple certificates for same key?

["Balluffi, Frank" <BalluffiF@xxxxxxxxxx>]

        I agree with Mark Shuttleworth:

>   2. If the signed package does not include the certs, or references
> to
>      the certs (like the issuer+serial form of authorityKeyIdentifier)
>      then the validating technology should examine each of the options
>      to see if an appropriate chain of authority can be found before
>      crying foul.  This is really the case where the reference is of
> the
>      "hash of key" form, which could in theory point to multiple certs
>      all containning the same key.
>
> What I'm trying to say is, we should come up with rules that the
> software
> should follow that allow for multiple certs containing the same key,
> rather than saying "hardly ever do this".  The market will determine
> how
> often we do it, and the implementation should support the market,
> rather
> than dictate.  Whew, better get off this pedestal before people start
> throwing fruit ;)
>
        I think the word "rules" is a bit strong. Perhaps the potential
problems associated with multiple certificates per public key should be
identified and accompanied by some suggestions. For example:

*       applications (and protocols) may uniquely identify a certificate
by issuer and serialNumber
*       policy qualifiers may be embedded into certificates

        It's hard to imagine an SSL client being confused by a
certificate containing the policy qualifier "only for use by protocol
number 9".

        As a consumer, I would like to be able to purchase an
inexpensive cryptographic token capable of storing one key pair and hold
multiple certificates, one for each application (or protocol).

        Frank Balluffi
        CertCo LLC
        balluffif@certco.com