[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: x.509 v3 Certificates and Compatbility

To: "'Mike Smith'" <mfsmith@xxxxxxxxxxxxx>, "'ietf-pkix@xxxxxxx'" <ietf-pkix@xxxxxxx>, "'brad h'" <bradh_1998@xxxxxxxxx>
Subject: RE: x.509 v3 Certificates and Compatbility
From: "Arsenault, Al W." <awarsen@xxxxxxxxxxxxxx>
Date: Fri, 14 Aug 1998 10:10:46 -0400
Cc: "'S814FSB@xxxxxxxxxxxxx'" <S814FSB@xxxxxxxxxxxxx>, "'S814AMA@xxxxxxxxxxxxx'" <S814AMA@xxxxxxxxxxxxx>
Sender: owner-ietf-pkix@xxxxxxx

"brad h" wrote:

>
>Let's narrow the scope down.  Within a corporation they have their own
>CA that issues a certificate to all of its' employees.  Using the
>different extensions shouldn't they be able to use their one
>certificate for everything within their domain (web, S/Mime, VPN, etc.)?
>

Possibly.  It would depend on corporate policy.  Depending on the value
of transactions being done, the company might want to have different
types of certificates - e.g., 

here's your certificate (let's call it "medium assurance" :-) to use
when sending non-proprietary S/MIME e-mail to corporate
partners/subcontractors; when ordering a book or other small item over
the web  or when...  (If the key gets compromised, or the certificate
were issued to the wrong person, or whatever, it's not good, but the
outcome is not disastrous.)

here's your other certificate (call it... oh, whatever:-) for use when
the dollar value of the transaction is over $100,000; or when company
proprietary information is being sent, or when ... (If the key gets
compromised, or the certificate were issued to the wrong person, or
whatever, it can be disastrous.  So, you want to take extra caution -
read, spend extra time and extra money - issuing the cert, and you want
it protected more tightly than the other cert.  You want to limit your
cost, and limit the key's exposure, so you don't want this cert used for
small transactions of the type mentioned above.)

It's similar to the physical world.  I have an employer-issued credit
card used for "small things", like a software package, a book, or a
plane ticket.  When the cost of the item I need exceeds a certain
threshold, there's an entirely different process, an entirely different
credit card, and an entirely different approval process.

Now, if your question really is, couldn't a single certificate with
enough extensions be used for all applications, presuming that relevant
policy permitted it, then the answer is most likely "yes, that should be
able to happen."

				Al Arsenault

-- speaking only for myself.  My opinions do not necessarily represent
those of my employer.
>

Prev by Date: Re: Last Call: Internet X.509 Public Key Infrastructure Certificate and CRL Profile to Proposed Standard
Next by Date: Re: x.509 v3 Certificates and Compatbility
Previous by thread: Re: x.509 v3 Certificates and Compatbility
Next by thread: Re: x.509 v3 Certificates and Compatbility
Index(es):
- Date
- Thread