At 7:56 PM +0100 2/8/12, DIEGO LOPEZ GARCIA wrote:
On 8 Feb 2012, at 17:36 , Stephen Kent wrote:
In the physical world we recognize that certain
entities are authoritative for identifying people
or orgs. These entities issue credentials to
people and orgs, and these credentials are
accepted for identification and/or authorization
purposes, in selected contexts. If a CA issues
certs with IDs for which the CA is authoritative,
it mimics the real world model, and that's
generally good. In many of the federation
examples with which I am familiar, there is too
much reliance on parties to vouch for identities
in a nonauthoritative fashion. This is not a
problem for all such systems, but for many.
I won't argue your point, but let me insist that is rather a matter
of common practices in identity vetting than of the architectures or
technologies themselves. CAs can as lax as the sloppiest federated
identity provider, and conversely a federation can require its
participating identity providers to apply procedures as strict as
the ones used by top-level CAs.
I think the real issue, which you ay have overlooked in my comments
above, is the notion that the best candidate for a CA is an entity
that is authoritative for the identity asserted in the cert. Based on
you reply, I get the sense that you're focusing on CAs like the
current set of browser TAs, all of which fail to meet the criteria I
cited.
Steve
_______________________________________________
therightkey mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/therightkey
