FYI Erik -----Original Message----- From: Daniel Kahn Gillmor [mailto:dkg@xxxxxxxxxxxxxxxxx] Sent: Monday, April 07, 2014 5:29 PM To: Erik Andersen Subject: Re: [wpkops] Fwd: [T17Q11] Trust anchor information Hi Erik-- Tony Rutkowski pointed to your DR_394 on the IETF's wpkops list: > After some useful discussions, I have prepared an update of DR_394 > (see http://x500standard.com/uploads/Ig/DR_394.pdf). this is a silly grammar nitpick, but: "it might not be trust anchor" should probably be: "it might not be a trust anchor" overall, your description of trust anchors is absolutely on-target. We should not presume that any given trust anchor has any of the following properties: 0) is universally held (i.e. not everyone must be willing to rely on every trust anchor) 1) it represents the terminus of any given certificate chain (i.e. it's entirely reasonable for a trust anchor to be in the middle of a chain, or to use corroborative, non-chain certification topologies) 2) has universal purview (i.e. supporting nameconstraints or other constraints for trust anchors is entirely reasonable) i think your update addresses all of these concerns, which is great (i think more attention could be paid to corroborative trust anchors, but X.509 itself is awkward for those certification topologies). Thanks for writing and pushing on this update. Regards, --dkg
Attachment:
signature.asc
Description: PGP signature