Re: criticality conformance
Peter Williams <peter@verisign.com> Fri, 17 May 1996 17:43 UTC
Received: from ietf.cnri.reston.va.us by IETF.CNRI.Reston.VA.US id aa19997; 17 May 96 13:43 EDT
Received: from CNRI.Reston.VA.US by IETF.CNRI.Reston.VA.US id aa19992; 17 May 96 13:42 EDT
Received: from neptune.tis.com by CNRI.Reston.VA.US id aa12571; 17 May 96 13:42 EDT
Received: from neptune.tis.com by neptune.TIS.COM id aa03935; 17 May 96 13:20 EDT
Received: from relay.tis.com by neptune.TIS.COM id aa03921; 17 May 96 13:13 EDT
Received: by relay.tis.com; id NAA15818; Fri, 17 May 1996 13:15:22 -0400
Received: from sol.tis.com(192.33.112.100) by relay.tis.com via smap (V3.1) id xma015804; Fri, 17 May 96 13:14:58 -0400
Received: from relay.tis.com by tis.com (4.1/SUN-5.64) id AA10473; Fri, 17 May 96 13:15:06 EDT
Received: by relay.tis.com; id NAA15797; Fri, 17 May 1996 13:14:52 -0400
Received: from rosetta.verisign.com(204.162.64.10) by relay.tis.com via smap (V3.1) id xma015789; Fri, 17 May 96 13:14:44 -0400
Received: from dustin.verisign.com (Gateway-Outside.Verisign.COM [204.162.64.20]) by rosetta.verisign.com (8.7.4/8.6.12) with ESMTP id KAA26941; Fri, 17 May 1996 10:17:17 -0700 (PDT)
Received: from peter (Peter.verisign.com [192.42.157.77]) by dustin.verisign.com (8.7.4/8.6.12) with SMTP id KAA21082; Fri, 17 May 1996 10:05:57 -0700 (PDT)
Message-Id: <319CA766.27E3@verisign.com>
Date: Fri, 17 May 1996 09:20:54 -0700
Sender: ietf-archive-request@IETF.CNRI.Reston.VA.US
From: Peter Williams <peter@verisign.com>
Reply-To: peter@verisign.com
Organization: VeriSign, Inc
X-Mailer: Mozilla 3.0b3 (Win16; I)
Mime-Version: 1.0
To: Mark S Feldman <feldman@tis.com>
Cc: pem-dev@tis.com, solo@bbn.com, hoa@rsa.com
Subject: Re: criticality conformance
References: <9605171637.AA08176@tis.com>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Orig-Sender: pem-dev-approval@neptune.tis.com
Precedence: bulk
> > I see two uses of certificates evolving: > > 1) Application-specific certificates. They may be perfectly valid > X.509v3, but they are linked back to a special, limited purpose root > or they have special extensions, perhaps carrying information not > available elsewhere. These certificates are proprietary black boxes. > They could just as well be something other than X.509 certificates, > but the application authors chose X.509 as an expedient, marketing > ploy, what have you. > > 2) Identity certificates that are of general use. More or less the > original PEM model. The problem here is the lack of infrastructure. > This has largely been bypassed in the rush for (1) above. Separate > mechanisms will map identity to authority, privilege, etc. The rush is the fact that certificates now solve an important problem to users - key distribution supporting a modicum of end-end privacy. Steve Crocker trained you well in constantly saying (so that people might eventually believe you) X.509 cannot occur as there is no infrastructure. Turns out (now there is money flowing the certs business) the infrastructure was there all along. D&B have huge organizational dbs, suitable for auth managament, and Equifax have huge residential dbs suitable for... The directory problem has been solved by the Web; see several directory services now available at URLs, and cert distribution within those only required a mime-type... With refienement, LDAP may well be integrated into the Web as a locator protocol for more refined service access, but its immaterial functionally. > In the end, isn't the application granting a privilege the sole > arbiter of the validity of a certificate? Maybe, as I said > previously, "validity" is the wrong word. A certificate may be > perfectly valid in the X.509 sense, but it may not be "valid for a > particular purpose." Of course. certs only perform key distirbution. That key may be obtained over such a channel which allows the applciation to assume the properties are suitable for a given use. In practice such properties come down to a policy oid, which the app can select on, and know represent an authenicated channel of authoitative keying. Subscriber agreement during certiifcate management then allows consumers to decide whether the policies are suitable for use in support of purpose A or B, or none. The cert is itself immaterial; what matters is its background management procedures embodied in the policy id. > A specific extensions can easily be critical or non-critical in all > cases. Being able to say otherwise in the certificate with the > criticality flag creates confusion (I think this is similar to your > original question). It is a shame that the OID space for extensions > can't be divided into critical and non-critical (say, even and odd), > creating an atomic bond between the extension and its criticality -- no > need for external, possibly ambiguous, rules identifying extensions as > critical or not. We can do this. IETF PKIX creates a pkix oid in the internet space, and has two subtrees. Into one or the other it reassigns the numbers of the ISO oids, and all IETF people use the IANA versions. Its only a number, but with pkix-profiled criticality specialization suggested by TIS. This is exactly how IETF needs to add value to the raw ISO work, to make it practicable.
- criticality conformance Peter Williams
- Re: criticality conformance Mark S Feldman
- Re: criticality conformance Peter Williams
- Re: criticality conformance Mark S Feldman