Re: [IETF-PKIX] Multiple Certificates

[Tony Bartoletti <azb@xxxxxxxx>]

All,

Please note that in the scenarios I have given regarding government
requirements for crypto key recovery, I intend this meaning to apply
to PKI keys *used* by government for government business, and not
necessarily for recovery of private-use crypto keys.  My personal
feelings are that key recovery should be a "local policy" issue.

Regarding David Kemp's response to Paul Koning, I think that we can
all agree that two identical strings of bits are the *same* key,
regardless of how disparately generated.  I am sure Paul meant as
much.  The "second" certification of a key, contrary in use to a
policy specified in the first certification, represents a "null-
policy-intersection" for the use of that key.  In other words, the
key cannot be used without the user being in violation of policy.

Government wants to know how to deter and/or detect such violation.

Where a policy-intersection is non-null, use should be valid where
such usage lies properly in this intersection.  Else again there is
a violation of some policy.

I am sure that Paul did not mean to imply that a key separately
certified was a "different key" and that "null-intersection" meant
freedom to use each key according to (effectively) the union of the
usage policies.

___TONY___


___TONY___






Tony Bartoletti                                             LL
SPI-NET GURU                                             LL LL
Computer Security Technology Center                   LL LL LL
Lawrence Livermore National Lab                       LL LL LL
PO Box 808, L - 303                                   LL LL LLLLLLLL
Livermore, CA 94551-9900                              LL LLLLLLLL
email: azb@llnl.gov   phone: 510-422-3881             LLLLLLLL