[x500standard] Re: Trust anchor
- From: denis.pinkas@xxxxxxxx
- To: x500standard@xxxxxxxxxxxxx
- Date: Fri, 15 Jul 2011 11:34:49 +0200
Erik,
You are walking on a field of mines. Nevertheless, it is good to have a
ball rolling.
Since, I don't like the proposal, I will explain shortly why and will
attach a counter proposal.
The first sentence is meaningless for me: "A trust anchor is an entity
that is trusted by
a certificate-using system supporting a relying party".
The second sentence introduces the concept of "trust anchor store".
This concept originally introduced in the PKIX WG is a non sense to me.
Trust anchors may be grouped under a set of rules usually called a
"validation policy" or a "signature policy".
In a given set of rules there are trust anchors, but also conditions that
shall apply to every certificate of a to-be-tested
certification path, like OIDs for certification policies, key usages,
etc..
Trust anchors cannot be be simply grouped in "trust anchor stores" since
different constraints may apply to every trust anchor.
I do know that MS has adopted a model where all CA are equally trusted,
but this is far too restrictive and this should not be the general rule.
Denis
De : "Erik Andersen" <era@xxxxxxx>
A : "Directory list" <x500standard@xxxxxxxxxxxxx>, "SG17-Q11"
<t09sg17q11@xxxxxxxxxxxxx>
Date : 14/07/2011 19:05
Objet : [x500standard] Trust anchor
Envoyé par : x500standard-bounce@xxxxxxxxxxxxx
I have produced a suggested new subclause for X.509. It is to be inserted
just before a certification path subclause
Erik Andersen
Andersen's L-Service
Elsevej 48,
DK-3500 Vaerloese
Denmark
Mobile: +45 2097 1490
e-amail: era@xxxxxxx
Skype: andersen-erik
http://www.x500.eu/
http://www.x500standard.com/
http://dk.linkedin.com/in/andersenerik
[pièce jointe "trust-anchor.pdf" supprimée par Denis PINKAS/FR/BULL]
Other related posts:
