My name is Francisco Jordan from Universitat Politecnica de Catalunya,
Barcelona, Spain. I'm now involved in my Thesis Doctoral which is based
on CA infrastructure, certification management, etc. and PEM model was
one of my starting points.
I send this mail because I've some concerns about PEM's Policy or PCA
concept. I don't know if you have already discussed this issue or there
exist any paper, document, etc. that treat it. If so, please reply me the
reference and I will check it.
These are my concerns:
Steve Kent writes in first section of RFC-1422, February 1993 (1.
Executive Summary, aprox. 7th para):
"... (It is desirable that there be a relatively small number of PCAs, each
with a substantively different policy, to facilitate user familiarity with the
set of PCA policies. However there is no explicit requirement that the set
of PCAs be limited in this fashion.)..."
From USA, I know the following PCA extracted from recent PEM mails:
"C=US; SP=MD; O=Trusted Information Systems PCA"
Let me reproduce another sentence from RFC-1422 (same section and
para than above):
"... Beneath IPRA root are Policy Certification Authorities (PCAs), each
of which establishes and publishes (in the form of an informational RFC)
its policies for registration of users or organizations..."
By reading this paragraph and section "3.4.4 Certification Authorities" of
the same RFC, someone can expect PCAs with the following names and
functions, for example:
"C=US; X=EDU PCA" that establishes policies for the educational
community in USA,
"C=US; X=COMPUTER COM PCA" that establishes policies for
computer-related commercial organizations in USA,
"C=US; X=SWIFT PCA" that establishes policies for the banking
community in USA,
...
and then, these PCAs certify organizations like "O=MIT", "O=BBN" or
"O=TIS", "O=Bank Of America", etc.
I've intentionally written "C=US; X=NNNN PCA" because in this case
I'm not sure that I can use "O" for signaling organization. Which DN
attribute is the appropriate? Does the IPRA limit PCA's DN attributes?
Hint: Which is really the current PCA practice, that of "C=US; O=TIS
PCA" (organization) or that of "C=US; X=EDU PCA" (community)?
If the former, then I think that RFC-1422 does not transmit this idea.
If the latter, then I have other concerns.
As you can see, perhaps I have a conceptual problem. Anyway, I want to
be sure of which is the situation of PCAs in the real world. Please feel
free to send any reply directly to me, or if you consider that it can be
interesting to the list, then make replies public.
If you have a PEM implementation, could you please reply with a PEM
MIC-CLEAR message containing all issuer-certificate fields until your
PCA (included).
Regards,
Francisco Jordan
PD Is it possible to know all the PCAs that have been certified by the
IPRA so far? Actually, I am interested in knowing how many and which
PCAs currently exist worldwide. Has anybody this info? If not, can I
offer myself to collect such information and make it public to the list?