[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [IETF-PKIX] Multiple certificates for same key?
- To: IETF-PKIX@xxxxxxxxxxxxxxxx
- Subject: Re: [IETF-PKIX] Multiple certificates for same key?
- From: Tony Bartoletti <azb@xxxxxxxx>
- Date: Wed, 4 Mar 1998 13:53:22 -0800
- Approved-by: Tony Bartoletti <azb@LLNL.GOV>
- Comments: To: Bob Jueneman <BJUENEMAN@novell.com>
- Reply-to: "IETF X.509-based public key infrastructure mailing list" <IETF-PKIX@xxxxxxxxxxxxxxxx>
- Sender: "IETF X.509-based public key infrastructure mailing list" <IETF-PKIX@xxxxxxxxxxxxxxxx>
Bob,
Thanks for considering my comments. I didn't see them until after sending
_yet_another_ diatribe on the issue.
While I am concerned about privacy issues, the real thrust of my exploration
was to ferret out, by way of implication, what cert-chain mechanisms folks
expect to exist. The comments of some lead me to believe that an OSCP-type
responder could simply be submitted a public key (or its hash) and then it
would respond, boolean-wise, with "Yes, there IS a valid cert of some form for
that public key" or not. That is, as if there would be no provision for the
(e.g., OCSP) user to specify a cert, or a set of attributes that must be
present to indicate the key is suitable for their purposes. Such a system
could only work if there were exactly one cert-per-key, so *the one* cert
(hence *the one* key) is either valid or not.
I hope all of this is of value to someone;)
___TONY___
Tony Bartoletti LL
SPI-NET GURU LL LL
Computer Security Technology Center LL LL LL
Lawrence Livermore National Lab LL LL LL
PO Box 808, L - 303 LL LL LLLLLLLL
Livermore, CA 94551-9900 LL LLLLLLLL
email: azb@llnl.gov phone: 510-422-3881 LLLLLLLL