[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Elaborate and clarify the technical NR service definition
At 06:59 PM 8/27/99 -0400, tgindin@us.ibm.com wrote:
> Thanks for the help. I guess the first sentence should probably read
>"signed by the private key corresponding to the specified valid certificate", or
>something like that.
>
> Tom Gindin
Yes, that would be clear. And I stress that the "disclaimer" should make
clear that BOTH "real owner" AND "real signer" are beyond scope.
A picture is worth a thousand bytes :)
(Domain of Tech NR Service)
-----------------------------
--> CA ----------|--> CRLs (TimeStamps?) |
/ \ | |
(PERP-1) ----------|--> Cert(OWNER,PublicKey) |
\ | |
--> PrivateKey | Object Signature |
\ ------|--------^-------------
\ | /
-----------> (PERP-2)
A "Full NR Service" would hope to establish "PERP-1 = OWNER = PERP-2".
The CA is (CPS-variably) responsible for "PERP-1 = OWNER". And we
entertain notions such as pin-activated tamperproof smartcards and
subscriber-due-care to approach "OWNER = PERP-2".
___tony___ (with too much time on his hands:)
Tony Bartoletti LL
IOWA Center LL LL
Lawrence Livermore National Laboratory LL LL LL
PO Box 808, L - 089 LL LL LL
Livermore, CA 94551-9900 LL LL LLLLLLLL
phone: 925-422-3881 fax: 925-423-8081 LL LLLLLLLL
email: azb@llnl.gov LLLLLLLL