Bob,
- re "semantic cross-certification": I think my last message to
Steve C. provides more of my thoughts on this issue, so let's not
continue that threat here.
- re PCA/user ID display: the intent is not to overly
constrain the user interface, but to ensure a minimal level of ID info
being made available to the user (for interpersonal email). The
principle here is "What You See Is What You Believe" (WYSIWYB,
pronounced as you would expect). The goal is to avoid overloading the
user with ID info he is unlikely to pay attention to, but to provide
enough info to unambiguously identify the user and the policy under
which the user was certified. So, an indication of "OK" for your
favorite PCA(s) coupled with a "warning" about any other PCA has most
of this flavor.
- re "access control": if you restrict the entities with whom
you communicate, this is an access control service. Encryption is a
mechanism for providing confidentiality, and may also be used as an
access control mechanism, based on distributing keys only to the
authorized parties. With public key technology the distribution of
the keys may no longer be an effective access control technology per
se. Instead, one may embed authorization info in the certificates for
RBAC or implement IBAC using ACLs. (These latter terms are preferable
to MAC and DAC in a network context, broader than just the Organe Book
model.)
Signing provides data origin authentication and connectionless
integrity, but the sort of integrity you may be referring to is
outside the scope of the security service terminology we usually
employ. "Discretionary Belief Control" is definately too Orwellian!
One simple way to characterize what PEM does it that it provides
global, unique, descriptive identification of users along with an
indication of the trust context in which the identity has been
verified. It need say nothing about the trust accorded the user, only
the level of assurance associated with the verification of the user's
identity. A PCA might adopt a policy that did imply trust in a user
as a condition of certification of the user, but that would be true
only for PCAs that adopt such policies.
- re MSP and release authority: Yes, MSP has explicit
provisions to support the release authority requirements of DMS (which
are derrived from the RA function of AUTODIN).
- re the number of PCAs that will exist: Well, I had initially
hoped that there would be relatively few PCAs, and that some of them
would be international in scope. However, early indications are that
there may be many PCAs, because of economic concerns. I think we will
just have to wait and see how the system evolves over time. There may
be an explosive growth of PCAs initially, then consolidation, merging,
etc.
Steve