On Thu, 31 Mar 1994 jueneman%wotan(_at_)gte(_dot_)com wrote:
I don't recall whether you were on pem-dev at the time, but Steve Kent
and I went around on the issue for a while, and I, at least, came up
with an implementation model you may wish to consider:
Thanks. I'll put these methods into my "pot of ideas to consider". My
comment was really just an aside to my previous message.
But how do potential users find out about PEM in general, and PEM
implementations in particular, much less the list of PCAs and CAs,
frequently asked questions, etc?
I don't have time to go Internet surfing, or even read the various
news groups except for this one, the NADF, and recently OSI-DS. I'm
in the process of upgrading my software so I can get MOSAIC to work
properly, for that rainy Saturday afternoon when I have nothing better to do,
but I haven't used it yet and am not qualified to make suggestions in this
area.
In your view, how _should_ this information be distributed to the masses,
A widely publicised FAQ is always the best place to start, probably in
alt.security.ripem, sci.crypt, and of course news.answers. The news.answers
cross-posting will automatically get the FAQ mirrored in hundreds of places
which are accessible by FTP, Gopher, WAIS, WWW, etc. Having it on a
well-known PKC site like rsa.com can't hurt either. The RSA FAQ already
has lots of good information in it. Maybe we can extend that, although
something labelled "So you want to PEM do you?" ( :-) ) would be easier
for most newbies to track down. (And no, I'm not volunteering :-) ).
The list of PCA's and CA's is my primary concern at the moment however.
I'd like to add a function to my software which allows the user to select
from a menu of Persona CA's which CA they want to use to get their key
rubber-stamped. The software then builds a self-signed certificate using
the conventions that CA wants and mails it off to be processed. e.g. there
is a list distributed with entries such as (the e-mail addresses and DN's
are wrong, but I'm going off the top of my head):
Name: RSA Low Assurance Persona CA
Phone: +1-???-???-????
Address: Low Assurance CA, RSA Data Security, ....
Policy: pem-policy-request(_at_)rsa(_dot_)com
Policy-Summary: This CA provides a low level of assurance in
the identity of the user. The only guarantees given
by RSA Data Security Inc. are ...
Cost: None
Request: persona-ca(_at_)rsa(_dot_)com
Format: C=US, O=RSA Data Security Inc, OU=Low Level Assurance CA,
CN=<?>
Certificate: <issuer certificate of above CA>
CRL: persona-ca-crl(_at_)rsa(_dot_)com
This list of course would have to be signed by a well-known entity (probably
the mythical IPRA, but in the case of a Persona CA list, RSA's low assurance
PCA should be fine). Then, software can contain instructions of the form:
"the latest list of Persona CA's can be obtained from rsa.com as
/pub/calists/persona or by sending an e-mail address to
persona-list(_at_)rsa(_dot_)com".
If the software is running in a TCP/IP environment, it could even fetch it
automatically, check the signature against a local copy of the well-known
entity's key, and then present the menu to the user. Similar things could
be done for lists of commercial PCA's so the user can choose which to send
the request to for commercial purposes.
Maybe I'm just a little too ambitious in my quest to make PEM friendly? :-)
Cheers,
Rhys.