On 09/07/2011 04:13 PM, d...@geer.org wrote:
Peter (or anyone) -- would you comment on the existence and practice of "bridge CAs" please? Extra credit (as in "thank you") for its plausible role in public clouds.
Two of the best-known Bridge CAs are the Federal Bridge CA, a component of the Federal PKI: - http://www.idmanagement.gov/pages.cfm/page/Federal-PKI and the SAFE-BioPharma Bridge CA: - http://www.safe-biopharma.org/ - http://en.wikipedia.org/wiki/SAFE-BioPharma_Association There may be others, but I'm not aware of them. Their usefulness stems from the fact that they allow completely independent PKIs to "trust" each others' digital certificates if a long list of assumptions are satisfied. A fundamental requirement for the establishment of such trust is the mapping of certification policies between PKIs, and the determination (by lawyers and PKI technologists) that they are equivalent in practice. While they are not "CACA"s, they facilitate "trust" between disparate PKIs through the Bridge CA. If a public cloud containing a collection of digital certificates issued by a PKI, and another public cloud with a collection of digital certificates from a second PKI, can map their policies and practices between themselves, there is technically no reason why a Bridge CA cannot facilitate "trust" between the two clouds. However, depending on the business problem being addressed, there are other - and sometimes simpler - ways to establish such trust without the need for Bridge CA's. Arshad Noor StrongAuth, Inc. _______________________________________________ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography