[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: Does the problem need solving?
At 9:45 AM -0400 6/28/07, Stephen Kent wrote:
At 10:46 AM -0700 6/27/07, Paul Hoffman wrote:
At 10:28 AM -0700 6/27/07, Santosh Chokhani wrote:
I am talking about associating certificate policies with a TA. I am not
talking about managing the certificate policies for a CA or PKI.
Associating certificate policies with a TA is very much relying party
decision. The relying party can choose to trust a TA for subset of the
policies for a PKI domain.
Quite right. It's hard for those of us who have been swimming in
the PKIX waters for so long to remember that the relying party gets
to make his/her own decisions and don't have to rely only on what
is in a certificate.
I'm surprised to hear you say that.
PKIX has always operated in the space where RPs select TAs, and
initialize the path validation parameters. What aspects of PKIX
standards do you believe leads folks to think otherwise?
There is a large difference between "initialize the path validation
parameters" and "can initialize the path validation parameters". I
know of no popularly-used system that relies on PKIX certs that
allows any initialization of the path validation parameters. I assume
that you may know of one or two, but that does not negate what I said
--Paul Hoffman, Director