With regard to the stuff below, it occurs to me that CAs and/or PCAs
could offer a service where they forwarded mail with their own
signature and time.
In fact, it would be very nice if we could associate a CA with a mailbox
name, e.g. "CA(_at_)sophia(_dot_)inria(_dot_)fr" for the CA <OU=sophia,
O=INRIA, C=FR>. The
CA could in particular use this to post messages.
Come to think of it, if we could associate the CA with just a host name,
and reserve a "well known port" for "CA operation", it would be feasible to
design a light weight TCP based application certificate handling, e.g.:
* get host associated to CA, e.g. <sophia.inria.fr> for <OU=sophia,
O=INRIA, C=FR>.
* TCP connect to host,
* send initial message, with two choices:
a) user name, e.g. <huitema, sophia, INRIA, FR>
-> CA returns certificate[s?] for user,
-> possibly error e.g. "no such user" or "cancelled".
b) some conventional value, e.g. "CRL?"
-> CA returns last CRL.
* grab response, close connection.
Anybody willing to pursue this idea? There is one tough point, i.e. "how to
guess the domain name for the CA", and a couple of design decision, e.g.
whether one allows "loose" queries, like "huittema" for "Christian Huitema"
or whether one wants to also implement a "cache" handling, e.g. letting
clients go through their "local CA".
Note that there is no need for what I described here as a "CA agent" to have
the dreadful "private key on line" characteristics. Certificates and CRL are
all signed informations, can be prepared off line and canned.
Christian Huitema