RE: Does the problem need solving?

[Paul Hoffman <paul.hoffman@xxxxxxxx>]

At 9:45 AM -0400 6/28/07, Stephen Kent wrote:
> At 10:46 AM -0700 6/27/07, Paul Hoffman wrote:
> > At 10:28 AM -0700 6/27/07, Santosh Chokhani wrote:
> > > I am talking about associating certificate policies with a TA.  I am not
> > > talking about managing the certificate policies for a CA or PKI.
> > >
> > > Associating certificate policies with a TA is very much relying party
> > > decision.  The relying party can choose to trust a TA for subset of the
> > > policies for a PKI domain.
> >
> > Quite right. It's hard for those of us who have been swimming in 
> > the PKIX waters for so long to remember that the relying party gets 
> > to make his/her own decisions and don't have to rely only on what 
> > is in a certificate.
>
> I'm surprised to hear you say that.
>
> PKIX has always operated in the space where RPs select TAs, and 
> initialize the path validation parameters. What aspects of PKIX 
> standards do you believe leads folks to think otherwise?

There is a large difference between "initialize the path validation 
parameters" and "can initialize the path validation parameters". I 
know of no popularly-used system that relies on PKIX certs that 
allows any initialization of the path validation parameters. I assume 
that you may know of one or two, but that does not negate what I said 
above.

--Paul Hoffman, Director
--VPN Consortium