[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Definition of "trust anchor"

At 9:48 AM -0400 7/5/07, Stephen Kent wrote:
How about:

A Trust Anchor is a Public key and associated information that a relying
party uses for signature verification. The associated information often is used to define the scope of a trust anchor, by imposing constraints on the signatures it may be used to verify. For example, if a trust anchor is used to verify signatures on X.509 certificates, these constraints may include a combination of name spaces, certificate policies, or application/usage types.

I quite unhappy about "uses". If an S/MIME message contains an intermediate CA certificate, I "use" it for signature verification, but it is not a trust anchor.

We need something that indicates that a trust anchor has a particular special property, namely that it is a key of highest authority. I know you don't like the word "trust", but "uses" is not specific enough.

--Paul Hoffman, Director
--VPN Consortium