Date: Thu, 23 Sep 93 18:24 EST
To: jueneman(_at_)gte(_dot_)com
From: Richard(_dot_)Ankney(_at_)emc2-tao(_dot_)fisc(_dot_)com
Subject: Certificate Purpose
We had defined a "certificate purpose" attribute in X9F1 (with values of
"signature", "encipherment", and "both"), but discovered we didn't need it.
Instead, we are using the algorithm ID associated with the public key.
We have an "rsa-signature" ID (ISO 9796), "rsa-key-transport" (PKCS #1
for encryption only), as well as the usual "rsa" and "rsa-encryption"
IDs. Similarly we'll have "dsa" and "diffie-hellman" for irreversible
algorithms, which quite obviously are only used for one purpose. Doing this
for PEM would require adding some more algorithm IDs to RFC 1423, of course,
but it does allow some restrictions on the use of a certificate.
Regards,
Rich
(Feel free to repost to the list if you think others will find it
interesting...).
---------------------------------------
Now THERE is a really interesting and useful suggestion - one that I wish
I had thought of. It would nicely solve the secretarial problem that I
mentioned.
Brad Huntting's suggestion of (paraphrasing and condensing) adding a
trusted key management system that would control who could use what
keys for what purposes would also solve it, at least theoretically.
However, having tried pushing the trusted computer rock up the hill for the
last ten years or more, I am not very confident that the user community
will ever adopt (pay for) the necessary computer security, and I would
prefer to solve the problem more directly.
Back to Rich's suggestion:
1. Could the addition of these two additional algorithm IDs be supported within
current or forthcoming (reasonably soon) versions of PEM?
2. Obviously the creation of certificates with (effectively)
"encryption-only," "signature-only," or "both" would tend to require
individual users to be assigned and use multiple certificates. Given
all of the flack regarding how to create distinguished names
for users that would allow these purposes to be differentiated, does
anyone have any suggestions as to how best to manage these different
certificates?
Bob