Re: Key selectors

Jeff,

In this message I'm replying to two of your messages, both under the
subject of key selectors.

      Suppose you have one key certified by different issuers A and B
      (or one key used for different roles, as in Bob's case).

It is the intent of RFC1422 to disallow this.  In other words, you would
not be able to accomplish this with "classic" PEM.  I base this on the
following words which appear in RFC 1422:

  3.4.2.2  Ensuring the Uniqueness of Distinguished Names

  ...

  As noted earlier, a CA may be certified under more than one PCA,
  e.g., because the CA wants to issue certificates under two different
  policies.  If a CA is certified by multiple different PCAs, the CA
  must employ a different public key pair for each PCA.  In such
  circumstances the certificate issued to the CA by each PCA will
  contain a different subjectPublicKey and thus will represent a
  different entry in this database.  The same situation may arise if
  multiple, equivalent residential CAs are certified by different PCAs.

In point of fact, use of the same key for different purposes is strongly
discouraged.  In fact, not doing so is a serious security vulnerability,
notwithstanding the fact that it eliminates accountability.


I certainly agree with Jim on this point, as I said earlier.

In the case of Organizational Persons, in RFC1422 it is clear that the same
certificate cannot be certified by two different CAs, because of the requirement
for name subordination.  This of course can cause some awkward implementation
problmes, as Jeff Schiller has pointed out. I believe that Warwick and Rhys 
worked
out some nice solutions to this problem that will be slick once we have v3 (if I
could get anyone to commit to it).

I haven't checked PEM/MIME to see if they addressed this issue, and if so how. I
suspect it's the same as in classic PEM, Jim?

BTW, Jim, do you have a position vis a vis including support for the minimal
content of v3 in this version fo the spec? I.e., the capability of supporting 
the
extensions only, not the proposed definitions of what some useful extensions 
might
be?

Cf. the messages from Mark Wahl, which I am still trying to digest.


Bob

<Prev in Thread]	Current Thread	[Next in Thread>
Re: Key selectors, (continued) Re: Key selectors, Jeff Thompson Re: Key selectors, Jueneman Re: Key selectors, Ashar Aziz Re: Key selectors, Jeff Thompson Re: Key selectors, James M Galvin Re: Key selectors, James M Galvin Re: Key selectors, Jeff Thompson Re: Key selectors, James M Galvin Re: Key selectors, Jueneman Re: Key selectors, Jueneman Re: Key selectors, Jueneman <= Re: Key selectors, James M Galvin Re: Key selectors, Jueneman Re: Key selectors, Mark Wahl Re: Key selectors, Jueneman Re: Key selectors, Ned Freed Re: Key selectors, Jueneman Re: Key selectors, warwick (w.s.) ford Re: Key selectors, Amanda Walker Re: Key selectors, Jueneman

Previous by Date:	Re: Semantics of signatures, multiple and otherwise, Ned Freed
Next by Date:	Re: Semantics of signatures, multiple and otherwise, Ned Freed
Previous by Thread:	Re: Key selectors, Jueneman
Next by Thread:	Re: Key selectors, James M Galvin
Indexes:	[Date] [Thread] [Top] [All Lists]