On Wed, 24 Sep 1997 23:05:30 -0700 (PDT), Patrick Richard
<patr(_at_)xcert(_dot_)com> wrote:
Ian Brown wrote :
The PGP public-key is the principal.
...
I think this is a great way to look at it. Using the public key, its
hash or fingerprint as *the* DN allows all sorts of important
functionality like authorisations.
The major problem with 'key-principal' architectures is the
revocation problem.
When my key is revoked/changed/upgraded/whathaveyou all
bindings are lost.
Pat,
This is certainly not a major problem in the environments
with which I am most familiar. Certificate revokation (due to
invalidation of one of the pieces of information bound into
the certificate) is far more common than key revokation (due to
loss or compromise of the key). The former occurs when jobs,
mailboxes, roles, or sometimes even authorizations change. This
happens at a much higher rate than key loss.
The only real way to mitgate this is to bind very little to
the key. However, this gives up much of the value that the
certificate offers.
This was one of the reasons that the attribute certificate
emerged in X.509. (There were other reasons too.) It allowed a
wide range of this "non-principal" binding data to be abstracted
from the main structure. This help to facilitate separate
certificates for various functions. Thus you can have one cert
that just binds permanent info like a name or perhaps a
lifetime identification (i.e., SSN) number to a key. Other
certificates containing info of a less permanent nature
(i.e., organizational affiliations, authorizations, e-mail
addresses) could then be revoked without destroying the user's
cryptographic identity.
There is great strength in this kind of modularity. We
should consider this concept in Open-PGP.
Chris
---------------------------------------------------------------
| International Electronic Communication Analysts, Inc. |
| Christopher D. Bonatti 9010 Edgepark Road |
| Vice-president Vienna, Virginia 22182 |
| bonattic(_at_)ieca(_dot_)com Tel: 301-212-9428 Fax: 703-506-8377 |
| PGP public key available from "http://www.ieca.com/" |
---------------------------------------------------------------