[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Issue with the requirements document: PKIX-centric terminology
Stephen Kent wrote:
I keep saying that the format of what is being moved about is not
nearly so hard a problem as the semantics of what is being moved, but
either nobody believes me or nobody is listening. I can;t tell which
based on he responses :-).
You can count me as one person who has heard and agrees with me, but who
just hasn't posted a message to the list until now.
I believe that I have heard a general consensus that the TAM protocol
(or message syntax) needs to be able to specify more than just a list of
trust anchors, but also constraints on the use of each trust anchor.
Some of these constraints may apply equally to all TA types, such as the
set of applications with with the TA may be used. However, as you have
said, we need to allow for constraints that are format specific. For
X.509, the most obvious constraints are the inputs to the path
validation algorithm (name constraints, policy constraints, etc.).
While, I am not very familiar with OpenPGP or SPKI, I would be very
surprised if one could use the same syntax and semantics to describe
constraints on the use of TAs that are intended for use with X.509 to
describe constraints on the use of TAs that are intended for use with
OpenPGP or SPKI.
So, while it may be appropriate to have a syntax that allows for a
single message to specify several different TA formats, I believe that
there will need to be a separate effort to describe the syntax and
semantics for specifying constraint information for each distinct TA format.