"Enzo Michelangeli" <[EMAIL PROTECTED]> writes:
>>I have an RFC draft for this which I wrote a while back but it was rejected by
>>the PKIX WG chair(s) ("I am concerned that we not turn PKIX into PGP with ASN.1
>>syntax"), and I haven't had the motivation to publish it as an independent
>>draft - would anyone even notice?.
>I don't think we need a draft for that: is there anything in the current RFC's
>preventing an S/MIME user agent from verifying an attached cert against a
>locally-stored copy, rather than traversing the certification path up to the
>root? Or also from installing root certs made by arbitrary peers?
There's a lot more to it than that, the abstract for the draft describes the
scope as:
-- Snip --
Current X.509 profiles assume the presence of an arbitrarily large and all-
encompassing PKI run by third parties in order to function. Unfortunately this
doesn't take into account common cases such as the situation where parties have
an existing trust relationship and want to share keys (without requiring a
third party to issue them certificates), or where an end entity has a signing
certificate and wants to issue their own confidentiality keys rather than
requiring the cooperation of a third party to do it for them, or where an end
entity wishes to distribute their keys via commonly-available mechanisms such
as web pages instead of waiting for a Directory capable of performing this task
to appear.
This profile presents a mechanism for identifying and working with end-entity
certificates which fulfil the above requirements. This use of end-entity
certified keys, combined with the distribution mechanism described below,
allows perfect forward (and backward) secrecy (keys can be rolled over hourly
if required) which can be made completely transparent to the user, as well as
doing away with the need for the (often unnecessary) reliance on a CA for
certification of keys, and with the need for a Directory or similar mechanism
for key distribution.
-- Snip --
There's a copy online at
http://www.cs.auckland.ac.nz/~pgut001/pubs/autonomous.txt if anyone wants so
see the whole thing.
Peter.
