2. Abandon the notion of using the IPRA to sign all of the
certificates of all of the PCAs, and use a direct trust model to
install self-signed PCA certificate(s) in the user's software. That
is what will have to be done with the IPRA certificate in any case.
Since we have to support direct trust anyway, this seems like the
direction we're headed in.
I agree. What do we have to do to make this happen quickly?
1. The various PCAs need to publish their certificates via FTP,
and list them in several newspapers, or perhaps something
like the Journal of the IEEE? In any case the reference should
be included in the Policy statement, so users can double check.
2. The various PEM implementations need to accept multiple
self-signed PCA certificates. How big a hit is this for TIS-PEM?
3. Clean up the RFCs. But this shouldn't stop action on 1 and 2,
if there is a reasonable concensus.
Bob