Leif,I am not referring to certificate extensions. Section 6.1.1 of 3280bis lists the following inputs to the path validation algorithm in addition to the trust anchor, prospective certification path, and current date/time: user-initial-policy-set, initial-policy-mapping-inhibit, initial-explicit-policy, initial-any-policy-inhibit, initial-permitted-subtrees, and initial-excluded-subtrees. A TAA may wish to specify values for these inputs. For example, the TAA may say that TA1 may be used with application X, but path validation should be performed with initial-explicit-policy=TRUE and user-initial-policy-set = {p1, p2}. This may be done because TA1 issues certificates at different assurance levels, and certificates issued under some of these assurance levels (e.g., p3) are not considered acceptable for use with application X.
This has nothing to do with the number of TAs. Even if there is only a single TA, the TAA may wish to specify constraints so that not all certificates issued by the TA will be considered valid for use with an application.
Dave Leif Johansson wrote:
David A. Cooper wrote: <snip>I believe that I have heard a general consensus that the TAM protocol (or message syntax) needs to be able to specify more than just a list of trust anchors, but also constraints on the use of each trust anchor. Some of these constraints may apply equally to all TA types,such as the set of applications with with the TA may be used. However, as you have said, we need to allow for constraints that areformat specific. For X.509, the most obvious constraints are the inputs to the path validation algorithm (name constraints, policyI don't understand that statement. The constraints you mention are extensions to X.509 certificates which undoubtedly are important when a PKIX implementation _uses_ a TA (eg part of path construction or path validation) but I don't see why this information is needed when storing or retrieving a TA from a TA store. I'm implicitly assuming that the number of TAs for any given application won't be so large so as to require more than a list-all type-of access to the TA store. Cheers Leif