pem-dev
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: How long live certificates?

1993-03-03 12:37:00
from [P. Rajaram] [Permanent Link] 


obtain a certificate not for each person nor for each role but for
each ordered pair [person,role].


You get to include only one name in a X.509 certificate.

In situations where an officer of a company needs to sign a
document, the document could be signed by a role.
Roles can have X.500 names and public key certificates as well.
Example of a role in a company is "VP, Finance".

There are ways to delegate signature authority.
This allows the role to be delegated to a specific person, or persons.
One (application specific) way to delegate signature authority is for
the role to sign a "delegation authorization" containing the name of
the delegatee, the duration, and possibly other info that defines the
terms and limits of the delegation.

The signature of Joe Blow, the current "VP, Finance", would consist
of the "delegation authorization", followed by Joe's personal
signature.  (The signature would be on the original doc + authorization)
This helps distinguish between Joe signing in the role as VP,
and signing in a personal capacity.

Applications that automatically check for signatures typically would
only know that a particular form needs to be signed by "VP, Finance".
Applications wouldn't need to know that Joe is the current VP.

When Joe goes on a vacation, he would delegate signature authority to
someone else.  Signatures would then consist of a sequence of two
"delegation authorization", followed by a personal signature.

There are other fun details of how the initial "delegation authorization"
is constructed, revoked, etc.


Theorem 1:  That a certificate, once created, may not be
destroyed unless...


Clearly, past certificates should remain indefinitely available to
verify signatures signed a long time ago.  (I don't know how anyone can
prove that a certificate is no longer referenced.)

Perhaps this should be covered by the PCA policies in Appendix B of RFC
1422 (missing).  Some CAs would provide such assurance, others
wouldn't.

Question: are CA's expected to provide any assurance of availability
of certificates, in general ?  Should they ?  Why not ?

-raj
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: Are DN's really names?, Steve Kent
Next by Date:  Re: Key-Info field, John Linn
Previous by Thread:  How long live certificates?, gvb
Next by Thread:  Re: How long live certificates?, Steve Kent
Indexes:  [Date] [Thread] [Top] [All Lists]