[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: x.509 v3 Certificates and Compatbility

To: ietf-pkix@xxxxxxx, bradh_1998@xxxxxxxxx
Subject: Re: x.509 v3 Certificates and Compatbility
From: Mike Smith <mfsmith@xxxxxxxxxxxxx>
Date: Fri, 14 Aug 1998 08:39:41 -0600
Cc: S814AMA@xxxxxxxxxxxxx, S814FSB@xxxxxxxxxxxxx
Sender: owner-ietf-pkix@xxxxxxx

As a former controller, I may wish to have the cert and keys in a smart card that I can keep locked in a safe and only take out when I have to sign the "large" purchase requests, authorize an endowment adjustments, etc.  I would probably have one for my employee status and eMail identification stored in my browser.  I would have another for encryption of my records, etc (probably on card or secure disk).  These would all be in the same domain of trust.

As each of my roles change, authority increases or decreases, then I would either have to have my old cert revoked and a new one issued, or one for that new role issued.  I know we could throw in attribute certs or just use one identity cert with all rights in some sort of centralized authentication server to minimize the actual number of certificates within the company (my preference, by the way).  In addition, if one is a customer of the corporation as well as employee, then they may have a customer certificate in the same domain as well as an employee or fiduciary type certificate.

Michael

Michael

>>> brad h <bradh_1998@yahoo.com> 08/14 7:50 AM >>>
Okay, I understand your response saying that its really not feasible
to have one all governing CA worldwide.

Let's narrow the scope down.  Within a corporation they have their own
CA that issues a certificate to all of its' employees.  Using the
different extensions shouldn't they be able to use their one
certificate for everything within their domain (web, S/Mime, VPN, etc.)?

Brad

---Mike Smith <mfsmith@zionsbank.com> wrote:
>
> Domains of trust.  If your single cert came from a single source
that EVERYONE (worldwide) trusted (and who indemnified ALL who relied
on the certs they issued and that their authentication practices met
or exceeded those in other domains of trust) and they issued all the
rights to you at once, then, maybe that single cert could be
practical.  However, I'm still not sure I would trust it for anything
other than issuing a cert to you to do business from me.
> 
> michael
> >>> brad h <bradh_1998@yahoo.com> 08/13 2:46 PM >>>
> I have a question that the group might be able to help me out with. 
> I've been researching this question but have not yet been able to come
> up with an answer.
> 
> I was wondering why a person would have to have more than one x.509 v3
> certificate?  From what I understand they should all be
inter-operable.
> 
> If you have a x.509 v3 cert shouldn't you be able to add extensions
> for each type of device/solution that you're trying to access (ex.
> SSL, S/Mime, VPN, PKI, etc.)?
> 
> Brad
> 
> 
> 
>  
> 
> _________________________________________________________
> DO YOU YAHOO!?
> Get your free @yahoo.com address at http://mail.yahoo.com 
> 
>                                                                     

> 

_________________________________________________________
DO YOU YAHOO!?
Get your free @yahoo.com address at http://mail.yahoo.com

Prev by Date: RE: x.509 v3 Certificates and Compatbility
Next by Date: RE: ldapv2-schema and CA Certificates
Previous by thread: RE: x.509 v3 Certificates and Compatbility
Next by thread: Re: x.509 v3 Certificates and Compatbility
Index(es):
- Date
- Thread