Re: [IETF-PKIX] Multiple certificates for same key?

[Tony Bartoletti <azb@xxxxxxxx>]

At 04:33 PM 3/4/98 -0500, Paul Koning wrote, in part:

>If only authentication tools, then that seems to leave only the case
>of recertifying an existing key as a meaningful scenario for multiple
>certificates.

As Bob Jueneman pointed out, in the absence of globally unique names,
how is such authentication to work?  Here at LLNL, there are several
Dave Browns and Bob Smiths, so even an additional company qualifier
fails to disambiguate.

Where the identity is unambiguous, then the "multiple certs" should
really be for authorizations, as you point out.  Multiple "identity"
certs may still differ in "class" or the degree of assurance given
to the binding by the CA.  So the RP application may need to know
which certificate, not to ascertain "role or attribute of holder" but
to determine assurance level appropriate to usage.

You make a very good point in alluding to a protocol that would state
"public key Z is revoked" rather than "cert Z is evoked" in the case
of revocation due to key compromise.  The difficulty:  In the latter
case, it is the cert issuer that governs a revocation status.  Who
would want the job of independently announcing the revocation status
of a key (perhaps wrongly) that has been certified by disparate parties?

___TONY___


Tony Bartoletti                                             LL
SPI-NET GURU                                             LL LL
Computer Security Technology Center                   LL LL LL
Lawrence Livermore National Lab                       LL LL LL
PO Box 808, L - 303                                   LL LL LLLLLLLL
Livermore, CA 94551-9900                              LL LLLLLLLL
email: azb@llnl.gov   phone: 510-422-3881             LLLLLLLL