[x500standard] SV: [pkix] Trust anchors
- From: "Erik Andersen" <era@xxxxxxx>
- To: <denis.pinkas@xxxxxxxx>
- Date: Fri, 15 Jul 2011 15:22:05 +0200
Hi Denis,
Thanks for your comments. I understand that you believe that trust anchor
storage shall not be mentioned in X.509 at all.
X.509 is not that well structured, as it has been written by different
people at different times during a period where concepts and terms were
being developed.
As an example, the term trust anchor is used with any previous introduction.
An innocent reader does not necessarily know what a trust anchor is.
Following your proposal, the term trust anchor would still be used without
any introduction.
The proposed subclause is intended to be just before a subclause introducing
the concept of certification path. Some of your proposed text fits nicely in
here.
It was important to me to emphasise that a trust anchor is some trusted
entity by a relying party and not necessarily trusted by the end-entity.
New player from new countries are coming into the PKI area. X.509 should be
written in such a way that it is understandable for newcomers. Many PKI
specifications can only be understood by those that are already (so-called)
expert.
Erik Andersen
Andersen's L-Service
Elsevej 48,
DK-3500 Vaerloese
Denmark
Mobile: +45 2097 1490
e-amail: era@xxxxxxx
Skype: andersen-erik
<http://www.x500.eu/> http://www.x500.eu/
<http://www.x500standard.com/> http://www.x500standard.com/
<http://dk.linkedin.com/in/andersenerik>
http://dk.linkedin.com/in/andersenerik
Fra: denis.pinkas@xxxxxxxx [mailto:denis.pinkas@xxxxxxxx]
Sendt: 15. juli 2011 11:41
Til: Erik Andersen
Cc: PKIX
Emne: RE: [pkix] Trust anchors
Erik,
You are walking on a field of mines. Nevertheless, it is good to have a ball
rolling.
Since, I don't like the proposal, I will explain shortly why and will attach
a counter proposal.
The first sentence is meaningless for me: "A trust anchor is an entity that
is trusted by
a certificate-using system supporting a relying party".
The second sentence introduces the concept of "trust anchor store".
This concept originally introduced in the PKIX WG is too restrictive.
I do know that several vendors have adopted a model where all CA are equally
trusted,
but this is far too restrictive and this should not be the general rule.
Trust anchors may be grouped under a set of rules usually called a
"validation policy" or a "signature policy".
In a given set of rules there are trust anchors and, for each trust anchor,
conditions that shall apply to every certificate of a to-be-tested
certification path that ends to that trust anchor, like OIDs for
certification policies, key usages, etc ...
Trust anchors cannot be be simply grouped in "trust anchor stores", since
different constraints may apply to every trust anchor.
This is the reason why I have deleted the text related to the"trust anchor
store".
Denis
De : "Erik Andersen" <era@xxxxxxx>
A : "PKIX" <pkix@xxxxxxxx>
Date : 14/07/2011 18:46
Objet : [pkix] Trust anchors
Envoyé par : pkix-bounces@xxxxxxxx
_____
To prove I am an optimist, I have produced a first draft for a subclause on
trust anchors to be included in X.509.
I will appreciate any constructive comment.
Erik Andersen
Andersen's L-Service
Elsevej 48,
DK-3500 Vaerloese
Denmark
Mobile: +45 2097 1490
e-amail: era@xxxxxxx
Skype: andersen-erik
<http://www.x500.eu/> http://www.x500.eu/
<http://www.x500standard.com/> http://www.x500standard.com/
<http://dk.linkedin.com/in/andersenerik>
http://dk.linkedin.com/in/andersenerik
[pièce jointe "trust-anchor.pdf" supprimée par Denis PINKAS/FR/BULL]
_______________________________________________
pkix mailing list
pkix@xxxxxxxx
<https://www.ietf.org/mailman/listinfo/pkix>
https://www.ietf.org/mailman/listinfo/pkix
Other related posts:
- » [x500standard] SV: [pkix] Trust anchors - Erik Andersen
