[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [IETF-PKIX] Multiple certificates for same key?
- To: IETF-PKIX@xxxxxxxxxxxxxxxx
- Subject: Re: [IETF-PKIX] Multiple certificates for same key?
- From: Stephen Kent <kent@xxxxxxx>
- Date: Wed, 11 Mar 1998 00:33:57 -0500
- Approved-by: Stephen Kent <kent@BBN.COM>
- Comments: To: Bob Jueneman <BJUENEMAN@novell.com>
- In-reply-to: <s4fd3e10.065@novell.com>
- Reply-to: "IETF X.509-based public key infrastructure mailing list" <IETF-PKIX@xxxxxxxxxxxxxxxx>
- Sender: "IETF X.509-based public key infrastructure mailing list" <IETF-PKIX@xxxxxxxxxxxxxxxx>
Bob,
I feel that the discussion of "which cert goes with this signature" is
overblown. I would argue that a relying party needs to acquire a cert that
is valid and that contains a public key that validates the signature of the
signed data. If there is a only ine cert with a key that conforms to these
requirements, we're done. if there's more than one, then the relying party
has been given the opportunity to choose whichever one he wants. Many
applications I know of send the end user cert as part of a transaction,
messages, or session establishment protocol. Thus the relying party is
saved the trouble of having to guess, and ambuigity is avoided. When
non-repudiation is an issue, then it is important to understand the
implications of multuiple certification and users and CAs should behave
accordingly. However, if they choose poorly and create opportunities for
abmiguity and possible deception, I'd back the relying party if he can
produce a valid cert that is plausibly associated with the user and which
works from a signature validation perspective.
Steve