[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [IETF-PKIX] Multiple certificates for same key?
- To: IETF-PKIX@xxxxxxxxxxxxxxxx
- Subject: Re: [IETF-PKIX] Multiple certificates for same key?
- From: "Frank O'Dwyer" <fod@xxxxxx>
- Date: Tue, 10 Mar 1998 22:01:02 -0000
- Approved-by: Frank O'Dwyer <fod@BRD.IE>
- Mmdf-warning: Parse error in original version of preceding line at post.mail.demon.net
- Reply-to: "IETF X.509-based public key infrastructure mailing list" <IETF-PKIX@xxxxxxxxxxxxxxxx>
- Sender: "IETF X.509-based public key infrastructure mailing list" <IETF-PKIX@xxxxxxxxxxxxxxxx>
>But do we sign with a certificate, or with a key? I don't think that key
>and certificate are synonymous. If the context of the certificate matters
>to the signature, then I should include the certificate in the signed
>message.
Unfortunately in general a signer has no reliable means
of predicting which certificate(s) a verifier will trust. For
example it is pointless to demand that verifiers use your
Verisign certificate if some of your audience simply don't
trust Verisign.
What really seems intended, and what might work instead,
would be to include the intended certified attributes in the
signature - in effect the signer would say "I intend to make
this signature as Joe Bloggs with extension OIDs a.b.c=foo,
x.y.z=bar". Then it would be up to each verifier to find some
certificate(s) that authenticated those attributes for it. The
signer could include some certificates as hints perhaps,
and/or as a convenient syntax for asserting the desired
attributes.
The above seems like an application matter, though. Also
it may be simpler to just use a different private key for
each context.
Cheers,
Frank O'Dwyer.