[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Issue with the requirements document: PKIX-centric terminology

Stephen Kent wrote:
I keep saying that the format of what is being moved about is not nearly so hard a problem as the semantics of what is being moved, but either nobody believes me or nobody is listening. I can;t tell which based on he responses :-).

You can count me as one person who has heard and agrees with me, but who just hasn't posted a message to the list until now.

I believe that I have heard a general consensus that the TAM protocol (or message syntax) needs to be able to specify more than just a list of trust anchors, but also constraints on the use of each trust anchor. Some of these constraints may apply equally to all TA types, such as the set of applications with with the TA may be used. However, as you have said, we need to allow for constraints that are format specific. For X.509, the most obvious constraints are the inputs to the path validation algorithm (name constraints, policy constraints, etc.). While, I am not very familiar with OpenPGP or SPKI, I would be very surprised if one could use the same syntax and semantics to describe constraints on the use of TAs that are intended for use with X.509 to describe constraints on the use of TAs that are intended for use with OpenPGP or SPKI.

So, while it may be appropriate to have a syntax that allows for a single message to specify several different TA formats, I believe that there will need to be a separate effort to describe the syntax and semantics for specifying constraint information for each distinct TA format.