Steve Kent was faster than I was about posting some of the problems with the definitions. But he stopped there, so let me continue with the "basic trust model".
Just a reminder from our WG charter: The working group's goal is to describe how the Web PKI "actually" works in the set of browsers and servers that are in common use today. Given that, I believe the following is fairly flawed. In the basic Web PKI trust model, a certificate-using product includes a root store that contains one or more root certification authority public keys, each of which is under the control of a CA and managed in conformance with the certificate policy prescribed and administered by the certificate using product supplier. Each such root certification authority issues a certificate to one or more issuing CAs that are under the control of the same commercial CA. Each issuing CA accepts and responds to certificate requests from one or more certificate applicants via one or more registration authorities that are under the control of the same CA. If the request is granted, then the certificate applicant becomes a certificate holder. The role of the registration authority is to confirm the accuracy of the information provided in the certificate request. - Some web browsers have a root store, but others use the OS's root store - Some of these root stores have public keys associated with an enterprise; those keys are often not managed in conformance with anything - "Commercial" is just plain wrong: many trust anchors are run by governments - Many trust anchors in the root store issue end entity certificates directly - Many trust anchors in the root store do not have registration authorities In summary: this definition does not represent how the Web PKI actually works. The text that follows seems based on these assumptions, and thus has similar problems. --Paul Hoffman _______________________________________________ wpkops mailing list [email protected] https://www.ietf.org/mailman/listinfo/wpkops
