In order to clarify many of Tom's points below, I suggest the following terms/definitions: Certificate Policy - The policy authored and followed by the Certificate Authority Trust Store Policy - The policy authored by the various Trust Store operators governing CA certificate inclusion in their Trust Store Subscriber Agreement - The terms and conditions placed upon the subscriber of an end-entity certificate Relying Party Agreement - The terms and conditions to which the relying party/end-user either implicitly or explicitly agrees to when making use of a particular end-entity certificate.
Regards, Rich Smith Validation Manager Comodo > -----Original Message----- > From: [email protected] [mailto:[email protected]] On > Behalf Of Tom Ritter > Sent: Tuesday, June 11, 2013 7:31 PM > To: Bruce Morton > Cc: wpkops WG ([email protected]) ([email protected]) > Subject: Re: [wpkops] Trust Model > > Some thoughts on a first read-through: > > each of which is under the control of a CA > and managed in conformance with the certificate policy accepted by > the certificate-using client supplier. > > This confused the heck out of me on first read-through. Also, in (2) > you say "certificate policy" meaning the policy created by the CA (I > think), in (2.1) you say "certificate policy" meaning the policy > created by the root store. (At least, AFAICT) > > The following graphic shows the > relationship of the parties in the trust model. > > There is no graphic. > > "certificate-using client" > > This seems to be used a lot - maybe we can define a term for this in > the beginning, e.g. "Client" > > The root store provider stores and manages root > certificates in its certificate-using client to support the trust > model. > > What trust model? We're trying to define the trust model, did you mean > 'trust service'? > > The root store provider determines how trust will be > validated > > It's not obvious to me what you mean by the noun 'trust' in this > sentence. > > The root CAs > issue certificates for subordinate issuing CAs > > It may be obvious, but perhaps we should specify here (and in the > following sentences) who signs whom? > > The CA entity manages root, intermediate and issuing CAs in > accordance with the certificate policy. The CA entity operates the > certificate issuance and management system in accordance with the > certificate policy. . > > These sentences seem awkward because they have the same verb and second > half. Also, stray period =) > > The CA entity operates a registration authority which authenticates > requests for certificates in accordance with the certificate policy. > > Which certificate policy? > > Once the certificate request has been accepted, > the subscriber will receive the certificate and will manage the > certificate in accordance with the certificate policy. > > Wait, now there's another certificate policy, this one applying to the > subscriber. > > The relying party implicitly accepts the > certificate policy by choosing to use a particular certificate-using > client. > > I guess technically they're implicitly accepting all three.... but the > ambiguity still bothers me. > > The certificate-using client does not use its own root store, but > uses the root store managed by a separate root store provider. The > certificate-using client evaluates the subscriber's certificate and > may check the certificate subject's domain name matches that > requested by the subscriber. > > The last sentence describes the checks done. 'evaluate' is super > ambiguous. And nowhere does it say it actually uses the root store. > Obviously client behavior is all over the place, but I feel like there > should be a 'Usually, the client...' > > As the cross-certified root CA is also recognized directly by > the root store provider, it operates in accordance with the > requirements of that certificate policy, regardless of any > requirements placed upon it by the contract between it and the > cross- > certifying root CA. > > This is another one of those "read it five times aloud slowly and I > think I got now" sentences. Also, I have no idea what those > requirements placed upon via contract might be. Maybe an example would > help me? > > -tom > _______________________________________________ > wpkops mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/wpkops
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ wpkops mailing list [email protected] https://www.ietf.org/mailman/listinfo/wpkops
