..
Steve Kent and others argue eloquently, and maybe even fairly persuasively,
that the current X.509 certificate is intended for identification only, and
that
there are no semantics, implied or otherwise, to a digitally signed message
unless arranged by an out-of-band agreement.
I have a real problem with that, even if the X.509 certificate was only used
to
confirm as user's identity prior to starting a encrypted dialog with him.
In particular, if a user is issued a certificate by an organization who
CERTIFIES him (as opposed to merely registering his name), every lawyer
I have ever talked to would be more than willing to take the case claiming
a deep pockets relationship between the user and the organization.
..
Although I certainly respect Steve's expertise in many of these areas, I
would
rather have a lawyer represent me on this issue.
Bob,
You have been pursuing this argument for eight months now, and although
your "legalese" is becoming increasingly impressive, you still seem to be
missing Steve's point. As I understand your positions, there is no conflict
between his desire to keep the X.509 certificate clean of any authorization
semantics and your desire to have a strictly additive set of authorizations.
The most common practice today in the non-electronic world is to require
separate documents for identification and authorization. For example, whip
out your check book or favorite credit card (authorization instruments) to make
that big purchase and you are invariably asked for some form of identification,
such as you drivers license.
The IETF (with its separate CAT and AAC working groups), SESAME, DCE and most
other attempts at distributed computing separate I&A and authorization. Why
is it that PEM should be different? Why can't PEM signatures simply imply
authentication with no authorizations. Then, if you wish to use PEM for EDI
or some other "higher-level" function, your PEM message can contain the
authorizations specific to your function. For example, my EDI request to
Ticketron could be of the form:
PEM Message {
Please send me 10 front row tickets to Sunday's Super Bowl at $100 a piece.
Authorization certificate {
Only Good for purchases up to $500.
} Signed by Citiband Visa
} Signed by C. Watt
This has a number of advantages:
- It gets PEM deployed now with no changes.
- It does not require changes to X.509 or PEM-specific kludges.
- It is more extensible.
- It separates I&A from authorizations so that a change in the later
do not require a change in the former.
- All authorizations are strictly additive, as you desire.
It has the disadvantage:
- It requires the verification of two signature chains.
Charlie Watt
SecureWare, Inc.