[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Assigning Roles to Strangers

To: ponder@xxxxxxxxxxxxxxxxx
Subject: Re: Assigning Roles to Strangers
From: yosimass@xxxxxxxxxx
Date: Mon, 7 Jun 1999 14:37:25 +0300
Cc: cryptography@xxxxxx, ietf-pkix@xxxxxxx, amir.herzberg@xxxxxxxxxx
List-archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
Sender: owner-ietf-pkix@xxxxxxx

Hi,

Regarding the collector:

The signature on collected certificates can be verified through the
issuer's public key and there is no need to authenticate the sending site.
More then that, we believe there will be central repositories that will
hold certificates, some will be given to everyone and some will be
protected through some access control system.

Regarding the X.509 format:

We chose to do our first prototype with X.509v3 certificates but other
formats (e.g. SPKI, Attribute Certificates) can be supported as well. The
only requirement is that each certificate has at least issuer, subject and
attributes.

Regarding the exclusion tag:

It is true that its impossible to make sure that there does not exist
anywhere a certificate of that type. However while the TrustEstablishment
(TE) server works hard to collect 'positive (inclusion)' certificates, it
does not do it for the 'negative (exclusuion)' certificates. We only check
our local collected DB for such certificates.

Regards,

Yosi Mass,
TrustEstablishment Project Manager,
IBM Haifa Research Lab, Tel Aviv Office

p.j. ponder writes:

>The function of the 'collector' seems to be dependent upon a secure DNS or
>some way of authenticating the sites which are visited to collect the
>missing certs.  I have only made a quick pass through the document and I
>may have missed something important.  If the collector acts on URLs then
>it is subject to spoofing and inherent weaknesses in the DNS.
>
>The message above seems to indicate that different forms of certificates
>may be used, the paper itself indicates X.50v3 only.  I'm not keen on
>X.509, for some of the same reasons that led to the development of SPKI,
>but I don't want to light off another religious battle on BER encoding and
>ASN.1 and etc.  I'll send some comments on that for 66 Swiss francs.
>
>In the example,
>
>|<!---- Second rule : a hospital recommended by at least 2 hospitals, and
>|there is no warning about it from any hospital --->
>|  <RULE>
>|    <INCLUSION ID="reco" TYPE="Recommendation" FROM="hospitals"
>|REPEAT=2></INCLUSION>
>|    <EXCLUSION ID="warn" TYPE="Warning" FROM="hospitals"></EXCLUSION>
>|      <FUNCTION>
>
>how does the 'exclusion' work without an exhaustive search of all hospital
>issuers or collectors?  Is there a central global repository of 'warnings'
>in this example, like CRLs?  I read the description of the 'exclusion'
>tag, but it escapes me how that would work in a practical sense.  Is it
>the same thing as saying there are no certificates anywhere where issuer =
>hospital that contain a warning about the subject hospital?  Does it mean
>that if there is a warning found in the local database or in certs we have
>already collected, then the subject hospital is excluded?  It would seem
>in a policy like the one in the example, that an affirmative action would
>be required on the part of the TE to go and see if there are any warnings,
>anywhere, that relate to that hospital.  Similar to a CRL?
>
>Based on a first reading, you seem to have taken elements from some of the
>better work being done and applied them in potentially interesting ways.
>I'll read it over again in the daylight.
>--
>pjp

Prev by Date: I-D ACTION:draft-ietf-pkix-ipki-ecdsa-01.txt
Next by Date: RE: DoD X.509 Certificate Policy
Previous by thread: Assigning Roles to Strangers
Next by thread: Inclusion of a Status code within a TSAToken
Index(es):
- Date
- Thread