[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Definition of "trust anchor"
At 9:48 AM -0400 7/5/07, Stephen Kent wrote:
A Trust Anchor is a Public key and associated information that a relying
party uses for signature verification. The associated information
often is used to define the scope of a trust anchor, by imposing
constraints on the signatures it may be used to verify. For example,
if a trust anchor is used to verify signatures on X.509
certificates, these constraints may include a combination of name
spaces, certificate policies, or application/usage types.
I quite unhappy about "uses". If an S/MIME message contains an
intermediate CA certificate, I "use" it for signature verification,
but it is not a trust anchor.
We need something that indicates that a trust anchor has a particular
special property, namely that it is a key of highest authority. I
know you don't like the word "trust", but "uses" is not specific
--Paul Hoffman, Director