[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Does the problem need solving?





On Jun 22, 2007, at 4:44 AM, Carl Wallace wrote:

> Well, I'm asking what other people mean. I didn't write this
> draft, I'm trying to understand it.
>
> I think a root-of-all-roots, is not possible and opens up
> large numbers of intractable questions (which start with the
> previously mentioned p-word (policy) and get into others
> (like politics), so I hope this isn't what we're trying to solve.

There's no universal root-of-all-roots notion intended in the draft. All roots need not spring from the same place. However, as Steve noted, for any particular trust store there may be a set of trust anchors authorized to manage the contents of the trust store. To some extent, the set of TAs authorized to manage a trust store could be viewed as the roots-of-all-roots for that trust store.

In general, the idea is that there must be at least one trust anchor that is installed in any TA store for which trust is established using manual, out-of-band means. After this occurs, in- band management should be possible. Establishing a protocol to do this is the primary goal. Deciding on the trust anchor types to manage, extent of authorization to address, etc. is part of the scoping exercise.


Thank you Carl and Steve (I'm replying to Carl, but thanks go mostly to Steve) for helping me understand this. I now see that this is actually the *antithesis* of what I was erroneously thinking.

I think this is solves a problem that needs solving. I still want to see a way that we handle things other then X.509, and would like to see XML wrappers as well, because like XML or not, it's the way things are in much of the world.

	Jon

--
Jon Callas
CTO, CSO
PGP Corporation         Tel: +1 (650) 319-9016
3460 West Bayshore      Fax: +1 (650) 319-9001
Palo Alto, CA 94303     PGP: ed15 5bdf cd41 adfc 00f3
USA                          28b6 52bf 5a46 bc98 e63d