----- In reference to the following message:
From: jueneman%wotan(_at_)gte(_dot_)com
Date: Sun, 08 Aug 93 18:49:00 EDT
Subject: Key & Signature responsibility
I am therefore urging that a PCA state in its Policy, that AS A CONDITION OF
ISSUING A CERTIFICATE TO A CA:
(1) the CA shall require its users to agree to comply with the PCA's
Policy,
(2) that the PCA, the CA, and/or its users shall publish a readily
accessible statement saying what they are or are not willing to
be bound to by with respect to their digital signature, and that
(3) in the absense of such a published statement their digital
signature
is for all intents and purposes essentially undefined, and is
therefore
null and void.
Do you feel that such a requirement by a PCA violates either the spirit or
the letter
of the intent of the PEM standards? I certainly don't.
----- End of quoted message -----
The spirit, yes. The letter, no. The PCA exists only to provide a
framework for a secure binding between a Distinguished Name and a
PUBLIC key. It is not intended to govern the uses of the public key.
The reputation of the operator of the PCA and its stated purpose for
doing so may be adequate for a particular entity (individual or
organization) to develop a rule base for authentication, access
control, etc. However, the PEM standard is completely neutral as to
whether or not this is the use to which it is to be put.
-Jeff (x2679)