David A. Cooper wrote:
<snip>
>
> I believe that I have heard a general consensus that the TAM protocol
> (or message syntax) needs to be able to specify more than just a list
> of trust anchors, but also constraints on the use of each trust
> anchor. Some of these constraints may apply equally to all TA types,
> such as the set of applications with with the TA may be used.
> However, as you have said, we need to allow for constraints that are
> format specific. For X.509, the most obvious constraints are the
> inputs to the path validation algorithm (name constraints, policy
I don't understand that statement. The constraints you mention are
extensions
to X.509 certificates which undoubtedly are important when a PKIX
implementation
_uses_ a TA (eg part of path construction or path validation) but I
don't see why
this information is needed when storing or retrieving a TA from a TA store.
I'm implicitly assuming that the number of TAs for any given application
won't
be so large so as to require more than a list-all type-of access to the
TA store.
Cheers Leif
