>From: Marshall Rose <mrose(_at_)us(_dot_)ca(_dot_)mtview(_dot_)dbc>
>Subject: The relationship between an entry and a real-world object
>Date: Wed, 18 Aug 1993 08:40:41 -0700
A function of policy-based certification is to bridge the gap between
registration and listing-by-name, such that little external knowledge,
and thereby inference, is required to determine the validity of the
identity statement represented by a certificate. The procedural means
used in such bridging processes is known publicly, and may be referred
to in case that an identity's authenticity is challenged. Upon
challenge, inference may be required. The burden of proof that
authenticity is in doubt is the that of the challenger.
A Naming Authority may, or may not use a secure, non-public Directory
Service for the non-std purpose of its registration of unique and
unambiguous names within its jurisdiction. Providers may or may not
interchange their secured naming contexts by suitable secure
registration interchange protocols.
PEM is now quite specific; Steve Kent's reply to the very first message
I ever posted to pem-dev recognised that the then PEM registration
protocol and service for assuring the uniqueness of CA names was not
fully specified. This vital matter for PEM service provision is now in
the purview of procedural mechanisms implemented by PCAs and their
associated domain of CAs, who are each required to make a competent
statement of their certification procedures. No statement implies
low-assurance.
I contend that your relationship assertions have been addressed
by PEM by the mechanism and operation of PCAs, founded upon the
auxillary concept of certification. The PCA technique is consensual,
practical, founded upon established practice, and may be deployed in
many different ways each suited to managing the risks of user fraud of
the MHS suffered by many different communities.