Some comments: >I agree with everything you say above: the PKIX should be a way of reliably mapping between domain names and keys, and nothing more. [JR] Incorrect. From 5280: "The goal of this specification is to develop a profile to facilitate the use of X.509 certificates within Internet applications for those communities wishing to make use of X.509 technology. Such applications may include WWW, electronic mail, user authentication, and IPsec. In order to relieve some of the obstacles to using X.509 certificates, this document defines a profile to promote the development of certificate management systems, development of application tools, and interoperability determined by policy."
> Value judgements and policy belong at different layers of the stack that PKI (ideally, in layers with more user control and less exposure to 50-150 jurisdictions). [JR] Your statement above was a policy statement and value judgment. By doing so, you are placing a policy constraint on PKI that does not exist in the RFCs. >Unfortunately, the people who set up the PKIX didn't understand this, and put a lot of foolish policy-like language into the hybrid CPS-Baseline Requirements-industrial complex. [JR] I think they understood it quite well. It was designed to map keys to subject information and permit a variety of uses. In that, PKI is quite flexible as evidenced by the broad use across a variety of platforms and applications (including email, access control, sign-on services, SSL, etc). Jeremy _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
