At 05:38 PM 11/4/98 +0100, Stefan_Salzmann/HAM/Lotus(_at_)lotus(_dot_)com wrote:
I have got one more question for the community. Does PGP Version 6.0
supports
the hierachical trust model? If yes are there any restrictions?
I'd like to note that this question really is not germane to this mailing
list for two reasons: (1) you're asking a PGP question on the S/MIME list
and (2) you are asking a question about a Network Associates product, not
about the standard.
However, the answer to your question is: Yes. Both PGP 6.0 and OpenPGP
support hierarchical trust. In OpenPGP Formats, see section 5.2.3.12 and
5.2.3.2 for the syntactic mechanisms for hierarchical CAs. Up to 255 levels
of CAs are allowed by the system. This feature is called a "trust signature."
The product PGP 6.0 will evaluate any level CA hierarchy, but will generate
only a two-level CA system with its "meta-introducer" feature. What this
means is that you can have a PGP cert that is a root cert, and then have
one additional sub-CA that signs leaf certs. We limited the feature in the
product only because it was very hard to get the UI right. As I said
before, the shipping software accepts the full, OpenPGP 255 levels.
The trust signature also provides for scope-limited cross-certification.
The signatures are the same, it's just who you give them to.
Jon
-----
Jon Callas jon(_at_)pgp(_dot_)com
CTO, Total Network Security 3965 Freedom Circle
Network Associates, Inc. Santa Clara, CA 95054
(408) 346-5860
Fingerprints: D1EC 3C51 FCB1 67F8 4345 4A04 7DF9 C2E6 F129 27A9 (DSS)
665B 797F 37D1 C240 53AC 6D87 3A60 4628 (RSA)