RE: NEW Data type for certificate selection ?

[Stephen Kent <kent@xxxxxxx>]

Alan,

>Yes the problem is a path issue. where CAs may have multiple paths to
>their roots or other CAs, multiple approaches to revokation, Users have
>multiple certficates, clients might be root and domain agile, etc.
>
>I have views on this which says we should not complicate the certificate
>any more-  so the client gets even more complex and untrusted, we should
>use some simpler methods of validation with the assistance of the
>directory service.

Yes, one can imagine offloading this processing, but a fundamental
assumption underlying certificates is that one does not need to rely on
other parties for such processing and storage.  Thus directories are
untrusted repositories, which can do not worse than store bad data.  I
would not want to confuse this long term existing model of what a directory
does with the notion you;re suggesting, of a component/system that performs
lots of processing that we currently envision being done by a certificate
consuming system.  I'm not saying we ought not consider such alternative
models, but le's not confuse folks by calling them directories, trusted
directories, etc.

>Phone systems are good - my telephone does not have software in it to
>prove the telephone company can provide it with its phone number ! :-)

I don't really see the relevance of this last analogy.

Steve