[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Types of object for trust anchors



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


>>>>> "Paul" == Paul Hoffman <paul.hoffman@xxxxxxxx> writes:
    Paul> Greetings again. One thing that I didn't see in section 3 of
    Paul> draft-wallace-ta-mgmt-problem-statement-00 was something
    Paul> acknowledging that trust anchors might come in multiple
    Paul> formats. At a minimum, some systems want them as bare public
    Paul> keys and others want them as certificates. In the latter
    Paul> category, some systems would want them as PKIX certificates

  I didn't see a lot of mention of bare public keys in the document.
  Nor as PGP certificates.

    Paul> and some would want them as PGP certificates. It makes sense
    Paul> to allow one set of trust anchors being delivered to contain
    Paul> multiple types and let the receiver sort out which types it
    Paul> can use.

  That seems more complicated (in code space) than just making everyone
use BER CMS to me...  I would say that it's either something like YAML +
DNS presentation format of bare keys, or CMS. Not both.

  I also think that some SPKI stuff needs to br brought up in the BOF.
  Specifically, relating to section 3, paragraph 3.

  While I appreciate section 4, I'd rather that it be removed and placed
into a seperate document prior to the BOF. Who are the BOF chairs?

- -- 
]            Bear: "Me, I'm just the shape of a bear."          |  firewalls  [
]   Michael Richardson,    Xelerance Corporation, Ottawa, ON    |net architect[
] mcr@xxxxxxxxxxxxx      http://www.sandelman.ottawa.on.ca/mcr/ |device driver[
] panic("Just another Debian GNU/Linux using, kernel hacking, security guy"); [


  
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Finger me for keys

iQEVAwUBRm3oJoCLcPvd0N1lAQI+IAgAwT2WqtWmEjrTnfRxQskcdE2wgQ4zhrtu
HbVaUPx8vD4vR8nGm1ameenKUaNq1wP1x75VDjC18fOzA5uK6ynSS3NjlGSAuZHF
Oueinl89NjGSITBDsMhz/PO/iGOIDbv4Cc0aLomCZ1DcFV2pRPgNQaAL1Xz0d9PB
GNdg+iezcBpZMzyJ7aJRMVZRemawch+VLxiVI/SfxdkdAFcl/9kAzCrvRzLMJzkS
z0Z4y9WbIriDODU3qPDP8NdcIUNCVt9u4lH4OLAPExsCuevnWQzYE9fBHwJ8x3oP
WGkss0IS4YYeZqiLITJKq5gkNL0FslZNg4fnbccjqiXhkCS/FIodeA==
=o750
-----END PGP SIGNATURE-----