[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Multiple TAAs



Steve,

> >In the specific area of application proxy software verification,
> >I'm pushing the complexity of determining whether a TA can
> >verify a software package into the PKIX certificate infrastructure
> >that can already handle it - I'd like to keep that area of
> >functionality out of the TA management protocol beyond the
> >ability of a TA to include a certificate.
>
> If you're saying that the per-vendor granularity is best managed by a 
> cert extension of the sort I suggested, I guess I agree. But, that is 
> an example of using a cert-specific capability to achieve the needed 
> granularity of authorization management.  Is your point that this is 
> now a TA feature, but not TAA feature?

Yes, specifically:

> > I might
> > be about to concede part of Steve's point by arguing that for the
> > proxy trust store, the TA has to include a certificate signed by
> > the device vendor and the prefix OID of the packages that TA can
> > verify has to be in the certificate.

and the code that handles proxy software download knows to check that
OID against the code package.

Thanks,
--David
----------------------------------------------------
David L. Black, Senior Technologist
EMC Corporation, 176 South St., Hopkinton, MA  01748
+1 (508) 293-7953             FAX: +1 (508) 293-7786
black_david@xxxxxxx        Mobile: +1 (978) 394-7754
----------------------------------------------------