Ian G wrote:
E.g., travis wants own identity in the PGP key. Yet your definition calls for capturing the identity of a newspaper.
The PGP key was designed to permit a given set of attributes. If the attributes are insufficient for a specific transaction's context, the PGP key would be inappropriate for the OP's use-case. The identity (attributes) of the newspaper only have meaning in the context of buying a newspaper. If the vendor of the newspaper had a strange requirement that he wants a PGP-signed message for home-delivery of the newspaper, and if the OP had the inclination to acquiesce, then the newspaper's identity and the identity attributes of the PGP key have meaning in that transaction; otherwise they are irrelevant.
We're now talking about identifiers and OOP and capabilities and fundamentals of data, not what humans think of their "identity".
That is precisely the problem - that humans think of identity as some abstract, meta-physical concept, when all it is is an aggregation of attributes relevant to a transaction.
It's a bit like defining Travis's identity as the set of actions that erupt from movements of the collection of atoms bounded by the clothing barrier....
Not a set of actions - but a set of attributes. Isn't all matter just a collection of atoms, that when aggregated and when capable of exhibiting specific properties, we humans identify them with a name? Why do we call the combination of 2 hydrogen atoms and 1 oxygen atom water, steam, ice and snow? Because of their attributes. They are the same atoms, but within a specific context, they have different attributes and, thus, different identities.
OpenPGP can still do that, but it misses the point by a layer or two. We do not have a way to capture a bundle of attributes and make them perform as per OPs desires. x.509 insists there is no bundle, or it insists there is only an unchanging official bundle (CN, C, etc), so its simplifications make it intractable in practice.
Perhaps OpenPGP is not the solution to the OP's problem - although with the right supporting infrastructure, it could be. X509 digital certificates have some of that support infrastructure and thus, go beyond OpenPGP. But, to truly solve a business problem, you need more than either PGP or digital certificates - you also need a mechanism that takes "identity" attributes from all relevant parties, processes business rules and makes a decision about the transaction: i.e. an authorization mechanism. Arshad Noor StrongAuth, Inc. _______________________________________________ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography