Re: [IETF-PKIX] Multiple certificates for same key?

[Bob Jueneman <BJUENEMAN@xxxxxxxxxx>]

>Bob:
>
>I must disaree.  PKIX cannot provide non-repudiation.  PKIX provides
>necessary stuff, but the signing application must do other things that are
>beyond the scope of PKIX.  S/MIME is one such application.
>
>Russ


Russ, I don't disagree that PKIX cannot provide non-repudiation in and of itself.
The questions is whether PKIX is in fact providing the "necessary stuff", or
whether each application has to solve the problem of binding certificates to
documents, over and over again.

I don't believe this issue affects non-repudiation exclusively. I might have to
think for a second, but I think I could come up with a scenario where which
certificate is used would affect access controls and similar uses in SSL, IPSEC,
and other evolving protocols. so I don't want to relegate the issue to the S/MIME
group alone.

To say it another way, I think we (the technical community at large)
made a fundamental blunder in the past in not cryptographically binding the
certificate to the message, document, etc., at the time of signing.
And now I am suggesting that we consider whether, and how, we
could fix that fundamental problem.

Bob

Robert R. Jueneman
Security Architect
Novell, Inc.
Network Products Group
122 East 1700 South
Provo, UT 84604
801/861-7387
bjueneman@novell.com

"If you are trying to get to the moon, climbing a tree,
although a step in the right direction, will not prove
to be very helpful."

"The most dangerous strategy is to cross a chasm in two jumps."