pem-dev
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: advanced topcis in certification structure

1993-12-29 09:29:00
from [Steve Kent] [Permanent Link] 
Steve,

        You make two good points.  {The folks in Mobile Alabama will,
I'm sure, forgive you suggesting that they be annexed by Louisiana
;-).}  The approach I have proposed does seem to intrude on the right
to use doctrine, but I think it does so in a managable way.  I don't
see the state of Arizona suing J.C. Penny for selling "Arizona" blue
jeans.  The trick, I think, is to make it clear to everyone, users and
govermental organziations alike, that the operation of a state-named
CA operated under a residential PCA is an artifact of the naming
constraints imposed by the Internet certification system and does not
represent an attempt on the part of the PCA to usurp the state's right
to use that name.  This should be made explicit in the PCA policy
statement.

        If BBN were in the residential PCA business, which we are not,
I would write a letter to the secretary of state for each state for
which we plan to establish a CA.  The letter would indicate our intent
to establish the CA in accordance with the principles established for
residential CAs in RFC 1422, with which I'm sure they are all familiar
;-).  It would emphasize that this CA that would NOT be used to
register anyone claiming an organizational affiliation with state or
municipal governments , but only individuals claiming residece within
the state, so that the state government would still be in a position
to act as CA for its employees, elected officials, etc.

        As for your second point, your are right that I forgot to
discuss CRL management.  Only one CRL can be issued for a CA, so this
function still needs to be centralized.  The most likely scenario
calls for the CA representatives to forward CRL inputs to the HQ CA
representative and have that CA actually sign and issues the CRL for
the CA.  The certificates that each CA rep can hotlist can be limited
to the serial number ranges that the rep can sign.  If "rogue" CRL
issuance were a problem, we could add an ability to disable the CRL
signing facility in the CSUs at other than the HQ site (since, as your
correctly note, there is no "source tagging" of CRL vs. certificates).

        Thanks for bringing out those points from my message for
further clarification.

Steve
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: Nested PEM Messages, Ashar Aziz
Next by Date:  Naming and other hard problems, jueneman%wotan
Previous by Thread:  advanced topcis in certification structure, Steve Dusse
Next by Thread:  Nested PEM Messages, kaufman
Indexes:  [Date] [Thread] [Top] [All Lists]