Steve commented: #I think we are in agreement. CAs that are not authoritative for asserted #identities are as bad as federated trust entities with similar properties.
I tend to be a concrete thinker, so I hope you'll indulge me for a minute in a concrete exercise related to your assertion. -- Assume a hypothetical CA is operated by a national government, and it issues client certs to citizens of that nation. I belive that this would like be an example of a CA that is authoritative for the identities that it is asserting -- true? (We'll set aside issues of how governments bootrap a definitive identification document in the potential absence of an existing definitive identification document) -- Would a hypothetical CA operated by a corporation, issuing client certs to its employees, also be authoritative for its employees from your point of view? Does it matter if they assert a name or a company email address or ? (We'll set aside the possibility that credentials might be able to be issued by the corporation without the involvement of the employee nominally associated with that credential) -- What's the solution for the person who lacks a authoritative source for a certificate? Would it be better if they simply couldn't get a cert? Or is there some road that they might travel that might allow them to find (like Dorothy and the Wizard of Oz), someone who could become authoritative for them? -- What if the authoritative source is unwilling to issue credentials to one of its subjects/employees/members? (e.g., think of some individuals who have been denied the right to travel in some countries in the past) Should there be the certificate equivalent of a Nansen passport for those who are effectively stateless? Or should we just be trusting a certification authority to do what it says it will do in its CPS, perhaps just confirming that an email address asserted in a certificate request is indeed accessible by the party that's requesting a cert with that "identity"? Thanks, Joe _______________________________________________ therightkey mailing list [email protected] https://www.ietf.org/mailman/listinfo/therightkey
