On Nov 7, 2012, at 8:33 PM, Randy Bush <[email protected]>
wrote:
>>> sita has cache and has agreed to arin's silliness. rama, trying not to
>>> put load on CA publishers, rsyncs sita's cache and wants to validate it.
>>> hanuman rsyncs rama's cache, ...
>>
>> In the above circumstance, how do rama and hanuman find and consider
>> the terms and conditions of the CA's CP/CPS prior to building reliance
>> upon its surmised authentication and/or non-repudiation capabilities?
>
> they don't. they are too busy running networks, and assume CAs do their
> damned jobs.
We may be working on somewhat different assumptions, given that the PKIX
certificate architecture was defined to be just like an other Internet
PKI certificate system, i.e. there is no automatic legal binding between
the CA and the relying party, and relying parties are responsible for
determining whether their application of the certificates of a given CA
is appropriate in light of applicable CP and CPS. RFC 5280 states this
as a basic requirement of the PKIX profile in section 2:
"A certificate user should review the certificate policy generated by
the certification authority (CA) before relying on the authentication
or non-repudiation services associated with the public key in a
particular certificate. To this end, this standard does not
prescribe legally binding rules or duties."
In your example, is sita taking on this responsibility on behalf of rama
and hanuman? It is not apparent that this type of application is within
the standard's stated requirements, so it should not be surprising that
there's an impedance mismatch occurring.
FYI,
/John
_______________________________________________
sidr mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/sidr
