[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: NEW Data type for certificate selection ?

To: Andreas Berger <aberger@xxxxxxxxxxxxxxxx>
Subject: Re: NEW Data type for certificate selection ?
From: Stefan Santesson <stefan@xxxxxxxxxxx>
Date: Thu, 01 Oct 1998 14:56:18 +0200
Cc: "'ietf-pkix@xxxxxxx '" <ietf-pkix@xxxxxxx>, "'list@xxxxxxxxxxxxxxxxx '" <list@xxxxxxxxxxxxxxxxx>
Sender: owner-ietf-pkix@xxxxxxx

There are similarities with phone numbers, but an even better example is to
compare with plastic cards in your wallet.

Say that every plastic card is a certificate given to you to be used in a
certain context. When you by gas you use your petrol card, when you borrow
books you use your library card.

The service context determines which certificate (plastic) you are using.

In a computer environment this is the same. Depending on the service
context you will use different certificates and different private keys for
signatures and decryption.

To day there is no "good" way to communicate the "service context" to the
certificate selecting function in the client. What is proposed here is that
we define a mechanism for this so that a context aware server may help the
client to select a suitable certificate.

This is relevant for a wide range of application and service levels, from
communication services (SSL/TLS) up to application levels (S/MIME and Java
scripts). But regardless of implementation level a general data type could
be used to specify the certificate match rule. X.509 have defined 2
relevant match rules. certificateMatch and certificateExactMatch.

So all we basically have to do is to convince the TLS, S/MIME and Java
peoples to include this in their protocols and client-server products.

/Stefan

At 01:52 PM 10/1/98 +0100, Andreas Berger wrote:
>Is the problem of selecting certificates somewhat similar to the
>selection of telephone numbers?
>
>Example:
>
>have an application select a FAX number for my home phone from an
>address book entry. The numbers itself (the certificate) cannot be
>distinguished from other numbers, it is the attribute name "FAX, home"
>(or something like this) that shows the designated use of the number.
>
>A little difference exists, in that certificates usually contain some
>information about the intended use. But this information is not encoded
>in a uniform way. The decision is usually left to the application (which
>is the problem to be solved here?).
>
>Andreas
>-- 
>Fifty-three percent of Fortune 1000 executives think the
>Arch Deluxe is something that helps to run a computer.
>-- Jericho Communications
>
>
-------------------------------------------------------------------
Stefan Santesson                <stefan@accurata.se>
Accurata Systemsäkerhet AB     
Lotsgatan 27 D                  Tel. +46-40 152211              
216 42  Malmö                   Fax. +46-40 150790              
Sweden                        Mobile +46-70 5247799

PGP fingerprint: 89BC 6C79 5B3D 591B 8547  1512 7D11 DBF4 528F 29A0
-------------------------------------------------------------------

Prev by Date: Re: NEW Data type for certificate selection ?
Next by Date: Re: NEW Data type for certificate selection ?
Previous by thread: Re: NEW Data type for certificate selection ?
Next by thread: RE: NEW Data type for certificate selection ?
Index(es):
- Date
- Thread