[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Summary, was Re: Every time ..., was Re: General formula

To: Alan Lloyd <Alan.Lloyd@xxxxxxxxxxxxxxxxxxxx>
Subject: Re: Summary, was Re: Every time ..., was Re: General formula
From: Ed Gerck <egerck@xxxxxxxxxx>
Date: Sun, 06 Jun 1999 22:40:20 -0700
Cc: "'Ed Gerck'" <egerck@xxxxxxxxxxxxxxxxxxxxxx>, "'Andrew Probert'" <AndrewP@xxxxxxxxxxxx>, PKIX <ietf-pkix@xxxxxxx>, tgindin@xxxxxxxxxx
List-archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
References: <>
Sender: owner-ietf-pkix@xxxxxxx

Alan Lloyd wrote:

> In system enginnering for business enterprises there are
> doctrinal, operational, policy, procedural and human factors to consider
> - as well as system and detailed technical matters - eg implementation
> quality, deployment and scaleability, reliability issues.. I tend to
> work on these aspects..

Alan:

All these aspects can be usefully applied to *one* attribute at a time
for each set of policies. But not (in any meaningful way) to a certificate
that  is a mixed bag with all sorts of different attributes, implicit attributes,
etc. Even when that cert is  just a plain PKIX identity certificate. To say
you can apply the same policies *equally* to *all* the attributes is likewise
meaningless.

So, what you are saying only leaves you with the case of a certificate for
which you can't apply your set of policies unless it has only one set of
attributes. Not very useful.

But, this is where the certificate lifetime equation shows a solution. You simply
apply the doctrinal, operational, policy, procedural and human factors that you
want *for each* attribute, as they can be applied for each. Without treating an
apple like a speedboat. For each type of  attribute, a different policy -- e-mail
names are one thing and live and die like e-mail names, not like public-keys for
example. After you have the lifetimes *for each* attribute (including possible
subattributes you may need in order to cover the risks you consider
significant) them AND ONLY THEN you apply the equation I derived and
whip up the final result FOR THE CERTIFICATE.

So, looks like you got it backwards ...a simple confusion. You thought of
applying the equation first -- but, no. It is to be applied last. Of course, how
else would you get the attribute lifetimes to input into the equation? From
whom/what?

BTW, this is clearly explained in the inlined reference [1] in my original
posting, in many e-mails I and others worte here --  and even in the
very e-mail you are replying to:

 "Gerck's certificate lifetime equation requires the user to input their
 assumptions on each presented attribute validity lifetime (an average)
 of a *given* certificate, ..."

So, you are the equation user, what should you do? Input your assumptions
on each attribute lifetime -- even if you call your assumptions by a long name
such as "doctrinal, operational, policy, procedural and human factors".

Cheers,

Ed Gerck

References:
- RE: Summary, was Re: Every time ..., was Re: General formula
  - From: Alan Lloyd

Prev by Date: Mutiple O and OU in the Distinguish Name
Next by Date: I-D ACTION:draft-ietf-pkix-ipki-ecdsa-01.txt
Previous by thread: RE: Summary, was Re: Every time ..., was Re: General formula
Next by thread: RE: Summary, was Re: Every time ..., was Re: General formula
Index(es):
- Date
- Thread