[Hipsec-rg] Hierarchical HITs

oleg.ponomarev at hiit.fi (Oleg Ponomarev) Wed, 21 January 2009 14:43 UTC

From: "oleg.ponomarev at hiit.fi"
Date: Wed, 21 Jan 2009 16:43:04 +0200
Subject: [Hipsec-rg] Hierarchical HITs
In-Reply-To: <001701c97b77$5c494480$480c6f0a@china.huawei.com>
References: <001701c97b77$5c494480$480c6f0a@china.huawei.com>
Message-ID: <alpine.LFD.2.00.0901211611160.17180@stargazer.pc.infrahip.net>

Hi! On Wed, 21 Jan 2009, Zhang Dacheng wrote:

> The scenario you mentioned is applicable as well. However, identity 
> lists are normally used by the simplest authorization systems.

Please note "access certificate issued to that identity by the trusted CA"

> I cannot let you access my medical records if you only can prove that 
> you are who you have claimed. You also need to tell me where you from, 
> whether you are a qualified doctor, etc. Note that it is the job of my 
> authentication system to verify your claims.

If we apply it to your example, I present a hospital badge with my photo 
on it, then 1) you may verify that this is my photo 2) you may see that 
the hospital authorized me to treat you.

Once again, we already have hierarchical identities (e.g. domain names) 
and I do not see the reasons to introduce yet another hierarchical space. 
Of course, this is just my opinion.

Regards, Oleg.