Ed Gerck wrote: > I believe that's what I wrote above. This rather old point (known to the > X.509 authors, as one can read in their documents) is why X.509 simplifies > what it provides to the least possible _to_automate_ and puts all the local > and > human-based security decisions in the CPS. > > (The fact that the CPS is declared to be out of scope of X.509 is both a > solution and a BIG problem as I mentioned previously.)
i like the explanation that some attempted to give at the acm sigmod conference in san jose (circa 1992) .... of what was going on in the x.5xx standards activities; ... a bunch of network engineers trying to re-invent 1960s database technology ... the x.509 digital certificates being a stale, static cachable entry of something in x.500 ldap database ... that was armored for survival in potentially hostile environment and for relying parties that didn't have ability to access the real database entry. cps was something that was needed for trusted third party certification authority operation ... not for x.509 identity certificate itself. the issue is when you effectively have these stale, static cacheable, armored database entries that aren't part of an organization and business processes that relying parties belong to. traditional access to database entries (whether you are directly accessing the entry or a stale, static cached copy of the database entry) ... the business processes accessing the data and the businesses responsible for the data are part of the same operation and/or belong to organizations that have binding contractual relationships. it is only when you have parties responsible for the information (trusted third party certification authorities) that are 1) totally different from the parties relying on the information and/or 2) the different parties have no contractual relationships. one could hypothesize that the creation of CPS were to provide some sort of substitute for contractual relationship between different organizations/parties where the relying party has no means of directly accessing the information and must rely on a stale, static digital certificate representation (of that information), provided by an organization that the relying party has no contractual relationship (just claiming to be a trusted third party certification authority possibly wasn't enough of a sense of security for some relying parties and so CPS were invented to provide relying parties a higher sense of comfort in lieu of having something like an actual contractual relationship). that makes CPSs a substitute for contractual relationships when x.509 digital certificates are used for trusted third party certification authorities where the relying parties and the TTP/CAs are different organizations. --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
