[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Multiple TAAs


> >In the specific area of application proxy software verification,
> >I'm pushing the complexity of determining whether a TA can
> >verify a software package into the PKIX certificate infrastructure
> >that can already handle it - I'd like to keep that area of
> >functionality out of the TA management protocol beyond the
> >ability of a TA to include a certificate.
> If you're saying that the per-vendor granularity is best managed by a 
> cert extension of the sort I suggested, I guess I agree. But, that is 
> an example of using a cert-specific capability to achieve the needed 
> granularity of authorization management.  Is your point that this is 
> now a TA feature, but not TAA feature?

Yes, specifically:

> > I might
> > be about to concede part of Steve's point by arguing that for the
> > proxy trust store, the TA has to include a certificate signed by
> > the device vendor and the prefix OID of the packages that TA can
> > verify has to be in the certificate.

and the code that handles proxy software download knows to check that
OID against the code package.

David L. Black, Senior Technologist
EMC Corporation, 176 South St., Hopkinton, MA  01748
+1 (508) 293-7953             FAX: +1 (508) 293-7786
black_david@xxxxxxx        Mobile: +1 (978) 394-7754