Re: NEW Data type for certificate selection ?

[Ed Gerck <egerck@xxxxxxxxxxxxxxxxxxx>]

On Thu, 1 Oct 1998, Stefan Santesson wrote:

>Hi Ed,
>
>I'm just trying to understand what you are saying.
>
>Are what you are saying, that you would solve the problem generally by, for
>each issuer, having a different Issuer DN, per certificate type? 
>Well I have thought of that for the SSL/TLS case but I don't like it.

Stefan:

;-)

May I remind you that you wrote:
 
 I realize that today there is no way to do this without distributing
 customized plug-in components to end-users

However, there are actually TWO ways, as I mentioned in my previous
postings, that do not involve plug-ins and do not need Javascript
either (btw, a security risk right there).


>Simply because many planned CA-services does not work that way and I'm not
>convinced that they should either.

;-) Simply because you perhaps want to make commercial CA-services
mandatory to Banks. However, that is neither needed to Banks nor
desirable security wise.

Further, if you want to name an objection, please do so. Generic
"does not work that way", without qualifying the "that" or why -- is
not useful in a discussion. SMTP carries only written words yet, not
thoughts ;-)

Can you be specific?

>
>The next question is, how do I use the SSL/TLS negotiation to pick the
>right certificate for creating a signed object in a Java script?

As I explained before, there are TWO ways to pick the intended
certificate and no other cert. However, pls consider abandoning
Javascripts to provide *functionality* -- even though JS may add
embellishments. Several major companies and security concerned
individuals do not use JS at all.

Cheers,

Ed Gerck
______________________________________________________________________
Dr.rer.nat. E. Gerck                     egerck@novaware.cps.softex.br
http://novaware.cps.softex.br
 -- Member of the Meta-Certificate Group -- http://www.mcg.org.br