Hi Bob,
WOW!! Your message was just shy of 300 lines. You seem interested in
this topic.
I therefore recommend either of two choices: 1) Issue residential
certificates under the PCA root key, without name subordination
and without any particularly strong guarantees of uniqueness
and/or right-to-use, or
The problem with this approach is that PEM presently assumes that
here will always be a CA under a PCA, and that therefore any
certificate signed by a PCA must be a CA. This would potentially
allow an individual user to certify another individual user, while
pretending or appearing to be a CA.
I think you have an excellent suggestion and one which is worthy of
serious consideration by this audience. If the present assumption
(requirement ?) were removed that a PCA only certifies CAs, then there
could be residential PCAs which directly certify users without having
to follow the name subordination requirements. This has a few
obvious advantages:
- It ameliorates the "gotcha" factor that Steve Kent has identified.
Because a PEM user agent is required to show the PCA name as well as
the sender's name, for a PCA which directly certifies residential
users, these two pieces of information constitute the whole
certification chain making it clear who certified each user without
any new display requirements.
- It provides a way of legitimizing those "rogue" residential CAs that
are currently issuing certificates but not currently following the PEM
name subordination rules. It may only be necessary for such a CA to
publish a PCA statement to become legit.
- It makes the IPRA database requirement easier to describe and
implement. Currently there are two databases, one for residential and
one for CAs under the PCAs. The new requirement would simply state
that any subject of a cert from a PCA should be checked against
entries in a single database.
Whaddya think ?
Steve Dusse
RSA