[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Issue with the requirements document: PKIX-centric terminology



David A. Cooper wrote:

<snip>
>
> I believe that I have heard a general consensus that the TAM protocol
> (or message syntax) needs to be able to specify more than just a list
> of trust anchors, but also constraints on the use of each trust
> anchor.  Some of these constraints may apply equally to all TA types,
> such as the set of applications with with the TA may be used. 
> However, as you have said, we need to allow for constraints that are
> format specific.  For X.509, the most obvious constraints are the
> inputs to the path validation algorithm (name constraints, policy
I don't understand that statement. The constraints you mention are
extensions
to X.509 certificates which undoubtedly are important when a PKIX
implementation
_uses_ a TA (eg part of path construction or path validation) but I
don't see why
this information is needed when storing or retrieving a TA from a TA store.

I'm implicitly assuming that the number of TAs for any given application
won't
be so large so as to require more than a list-all type-of access to the
TA store.

    Cheers Leif