[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: NEW Data type for certificate selection ?

To: "'ietf-pkix@xxxxxxx '" <ietf-pkix@xxxxxxx>, "'tyone '" <tyone@xxxxxxxxxxxxxxxxxxx>
Subject: RE: NEW Data type for certificate selection ?
From: Alan Lloyd <Alan.Lloyd@xxxxxxxxxxxxxxxxxxxx>
Date: Mon, 28 Sep 1998 18:16:45 +1000
Sender: owner-ietf-pkix@xxxxxxx

Tyone - the problem gets worse if one uses extensions - It means one is
tying (by cryptography) the local context/usage of a certificate. And as
you say, contexts may not be universal. In fact scaleability will hit
once we force "application" tags into certificates, simply because - as
you say, usage identifiers are open ended.

Nothing will be perfect in this space, but my preference is to have
certificate/permissions/business information approach that ties the
crypto trust components to the User capabilities and applies these into
a business context - all of which must be designed from a directory
information perspective because of the authentication, access control,
distribution and validation requirements demanded.

As said, the requirement is to have a trusted EC environment. The
components of such an environment include cert based fns, distributed
dirs and a business/organisational directory schema and (as small as
possible) client applications that rely on such services. Adding an
extension in my mind does not solve the problem, it simply creates more
because the "fix" is in the wrong place. And as you say correctly - its
hard and difficult which just indicates IMHO that the problem is
somewhere else.

I personally think that one cannot add anymore detail to PKI/509 becuase
the problems that are now being discussed are the limitations of LDAP to
support efficient and scaleable PKI systems (when X.500 should be used)
and the application,performance and trust of certificate based systems
now depend on the application they are used for. And these are cost,
operational, assurance and cost related issues.

regards alan



----------
From: tyone
To: ietf-pkix@imc.org
Sent: 9/28/98 12:19:19 PM
Subject: Re: NEW Data type for certificate selection ?

Hi.

What do you think of the idea that using cert policies extension for
this purpose?
The reason is, cert policies extension indicating how the certificate
has been issued,
and how the certificate should be used.

If two different certificates have the same cert policies extension
value and
one can be used for application A, then it is reasonable that the other
can be
used for application A.

if we decide to introduce  a new extension or a new ASN1 field  to X509
format,
,which indicates what kinds of applications can use the certificate,
we first have to  categorize applications from some view points( data
sensitivity?).
This categorizing work seems to be very hard and difficult.

Takeshi Yoneda
Mitsubishi Electric Corp.


>All,

>During the TLS session in Chicago (IETF meeting) I discussed with Jeff
>Weinstein, Netscape, the problem of certificate selection in an
environment
>where the client is populated with many similar certificates for
different
>purposes.

>We concluded that this is a general problem, not only for TLS, but for
>S/MIME, Java, Java script, etc, where signing and encryption based on
an
>X.509 PKI is an option. I also conclude that the current TLS approach,
>using Issuer name as selection criteria, is hopelessly insufficient for
the
>general case.

Prev by Date: Questions about PKIX
Next by Date: RE: NEW Data type for certificate selection ?
Previous by thread: Re: NEW Data type for certificate selection ?
Next by thread: RE: NEW Data type for certificate selection ?
Index(es):
- Date
- Thread