Re: [IETF-PKIX] Multiple certificates for same key?

["Phillip M. Hallam-Baker" <pbaker@xxxxxxxxxxxx>]

>Sorry for this late reaction but it's been quite a task
>just to read all the contributions to this thread. I think
>the discussion so far have been very biased to, let me say,
>the "American soft-token" perspective. So, being a native
>European, let me improve that situation slightly.


I am also a European. I have not noticed a bias towards
soft certificates.

VeriSign certificates can be loaded onto a smartcard
(Gemplus or Schlumberger), I have a card and reader
myself. As a practical matter however smartcards
and readers are not yet ubiquitous.

The ambiguity problem is considerably worse with a smart
card than a soft certificate. The one declarative action that
is possible with the chip in card format is to insert the device
into a reader. Any variation in semantics must be captured
by the terminal - which cannot be considered as secure as
the card itself.


On the other hand I don't think we should wire any prohibition
on dual certification of keys into the standard, the practical
reason being that such a prohibition could not be enforced.
People are bound to do it whether or not it is a good idea.
Therefore it would not be a good thing for clients to rely on
it not taking place.

If there is not going to be an impact on the specififcation we
do not need to discuss it.

        Phill