[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Does the problem need solving?
On Jun 22, 2007, at 4:44 AM, Carl Wallace wrote:
> Well, I'm asking what other people mean. I didn't write this
> draft, I'm trying to understand it.
>
> I think a root-of-all-roots, is not possible and opens up
> large numbers of intractable questions (which start with the
> previously mentioned p-word (policy) and get into others
> (like politics), so I hope this isn't what we're trying to solve.
There's no universal root-of-all-roots notion intended in the
draft. All roots need not spring from the same place. However, as
Steve noted, for any particular trust store there may be a set of
trust anchors authorized to manage the contents of the trust
store. To some extent, the set of TAs authorized to manage a trust
store could be viewed as the roots-of-all-roots for that trust store.
In general, the idea is that there must be at least one trust
anchor that is installed in any TA store for which trust is
established using manual, out-of-band means. After this occurs, in-
band management should be possible. Establishing a protocol to do
this is the primary goal. Deciding on the trust anchor types to
manage, extent of authorization to address, etc. is part of the
scoping exercise.
Thank you Carl and Steve (I'm replying to Carl, but thanks go mostly
to Steve) for helping me understand this. I now see that this is
actually the *antithesis* of what I was erroneously thinking.
I think this is solves a problem that needs solving. I still want to
see a way that we handle things other then X.509, and would like to
see XML wrappers as well, because like XML or not, it's the way
things are in much of the world.
Jon
--
Jon Callas
CTO, CSO
PGP Corporation Tel: +1 (650) 319-9016
3460 West Bayshore Fax: +1 (650) 319-9001
Palo Alto, CA 94303 PGP: ed15 5bdf cd41 adfc 00f3
USA 28b6 52bf 5a46 bc98 e63d