pem-dev
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Truth in messages (Was RE: Some general questions)

1994-01-27 10:26:00
from [jueneman%wotan] [Permanent Link] 
Wow, I thought the technology implemented in PEM was for verification and 
certification.  I didn't realize you could determine when a person has lied
in his message.  This has grand implications.


Actually, this is a proposed extension for X.509. It requires a new attribute,
pathologicalLiarNOT, to be added to the certificate. Unfortunately, since 
X.509 does not presently support ANY useful attributes about a person,
we won't be able to implement this highly desirable feature correctly until 
X.500 '96.

In the meantime, you have two options: 

    1.  Look up the attribute in the X.500 directory. Unfortunately, the 
user's Certification Authority doesn't work for the directory services 
supplier, so this attribute may or may not be reflected properly. In 
addition,there 
isn't any good way for the directory services provider to sign that attribute, 
either, 
so you'll just have to take it on faith. Of course, since the Directory is only 
loosely 
synchronized and doesn't have any capability of maintaining or referencing any 
archive versions, it will be up to you to maintain your own archive copy of the 
Directory contents.

   2.  If you would prefer not having to keep an archive copy of the Directory 
every
time it changes, you might ask the CA or the PCA to maintain an archival copy
of the certification of that user, inviolable and in perpetuity. That way, if 
you
ever need to know whether a user always told the truth, you could subpoena
the records of the PCA or CA. Of course, since forever is a long time, the PCA
or CA may require a very substantial fee for this service. And what will happen
to those records if the PCA goes out of business is difficult to say. Maybe we
should publish a new standard or RFC that would require that such organizations
never fail.

     3.  You can register your organization with ANSI and obtain your own OID,
then you can enter your very own pathologicalLiarNOT attribute in the
user's Distinguished Name field of the X.509 certificate. This of course is an
ugly hack, but we must stick with the existing standards at all costs, even
if they don't do what we need them to do.

Bob (Tongue-In-Cheek) Jueneman
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
  • Truth in messages (Was RE: Some general questions), jueneman%wotan <=
Previous by Date:  Re: not all docs are understandble., Dave Saunders
Next by Date:  Re: Re: CA Names, jueneman%wotan
Previous by Thread:  not all docs are understandble., Richard_R.Moore
Next by Thread:  X.509 extensions, P. Rajaram
Indexes:  [Date] [Thread] [Top] [All Lists]