Frank Hecker wrote: > Nelson B wrote: > > AFAIK, there's no uniform standard for classes. > Correct AFAIK, although there are some sort-of conventions (e.g., "class 1" = minimal validation, e.g., via email, > "class 4" = use of hardware tokens). Although of course this "sort-of" standardization is exactly what has plagued > PKI from the very beginning (e.g., the proliferation of similar but not identical certificate profiles).
In the Federal and State/Local Government PKI implementations there has been and currently is a strong requirement for this type of certificate assurance level. In at least 4 implementations that I'm aware of, they use the exact same levels of certs (that also map to private key storage medium BTW): Low Assurance - Identity verified via electronic means (email address, databases), private key stored in software. Medium Assurance - Identity verified using in-person methods (photo ID check by either an RA or by a Notary Public), private key stored in software. High Assurance - Identity verified using in-person methods (photo ID check), private key stored in hardware (Smart Card or USB token). They signify the assurance level by the CertificatePolicy OID, but unfortunately, they all use a different set of 3 OIDs to represent low/med/high. They then leave it up to the owners of a relying application to enforce which policy level is acceptable for their particular application. Seems like a logical fit for what we're talking about here, except there needs to be a standard set of CP OIDs for the assurance levels, and there needs to be checks and balances in the system to ensure that CAs asserting the CP OID are really performing the appropriate levels of I&A (identification & authentication). -Alex _______________________________________________ mozilla-crypto mailing list mozilla-crypto@mozilla.org http://mail.mozilla.org/listinfo/mozilla-crypto