[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [IETF-PKIX] Multiple certificates for same key?

To: IETF-PKIX@xxxxxxxxxxxxxxxx
Subject: Re: [IETF-PKIX] Multiple certificates for same key?
From: Paul Koning <pkoning@xxxxxxxxx>
Date: Wed, 4 Mar 1998 16:33:00 -0500
Approved-by: Paul Koning <pkoning@XEDIA.COM>
References: <> <>
Reply-to: "IETF X.509-based public key infrastructure mailing list" <IETF-PKIX@xxxxxxxxxxxxxxxx>
Sender: "IETF X.509-based public key infrastructure mailing list" <IETF-PKIX@xxxxxxxxxxxxxxxx>

I'll skip quoting previous messages because it's hard to tell anymore
who said what....

One analogy presented was that several certificates for the same key
is similar to having several credit cards in your wallet.

It occurs to me that some of what's going on in this discussion is the
age-old problem of mixing up authentication with authorization.  As in
"am I dealing with G. Paul Koning, that guy with the bushy beard,
passport number foo...?" vs. "given that I believe I'm dealing with
G. Paul Koning, is he entitled to charge $N to account number bar?"

It seems pretty clear that a pile of certificates all attesting to the
same key are certifying the same identity, i.e., authenticate the same
entity.  But because they have different attributes, they may be
driving different authorization decisions.

In other words, it looks like the question is: are certificates
supposed to be authentication tools, or also authorization tools?

If only authentication tools, then that seems to leave only the case
of recertifying an existing key as a meaningful scenario for multiple
certificates.

If also authentication tools, then clearly there can be many
certificates since any individual is allowed to do many things, and
those permissions are granted by many independent organizations.

In the latter case, while it may be possible to have many different
key pairs for those many authorizing certificates, I agree with Bill
Burr that this is a bad idea.  The more bits of secret I have, the
harder it is to protect those bits.

Another point: if certificates are authorizing tools, you aren't
actually going through the two step process of first authenticating
then authorizing.  So it isn't functionally necessary to be able to
prove that each of my authorizing certificates "belongs to" the same
identity.  On the other hand, it seems to be very useful to be able to
do this -- which is what you get by having them all tied to the same
key.

Finally, a thought that may not work... if there are many certificates
sharing a key, it would make sense for revocation to revoke the key,
not each certificate one by one.

        paul

Follow-Ups:
- Re: [IETF-PKIX] Multiple certificates for same key?
  - From: Tony Bartoletti

References:
- Re: [IETF-PKIX] Multiple certificates for same key?
  - From: David P. Kemp
- Re: [IETF-PKIX] Multiple certificates for same key?
  - From: Bill Burr

Prev by Date: Re: [IETF-PKIX] Multiple certificates for same key?
Next by Date: Re: [IETF-PKIX] Multiple certificates for same key?
Previous by thread: Re: [IETF-PKIX] Multiple certificates for same key?
Next by thread: Re: [IETF-PKIX] Multiple certificates for same key?
Index(es):
- Date
- Thread