> >As for the TAA definition, how about: > > > >A Trust Anchor Administrator (TAA) is the entity represented by the trust > >anchor. The TAA controls the private key of the trust anchor. > > A public key with associated crypto parameters and associated > restrictions do not "represent" anyone. > > Further, this definition breaks the model we have been discussing, > where a TAA gives the client one or more TAs for the client to > install. This definition causes the client to now have many TAAs, one > for each TA they installed.
I agree. A Trust Store Anchor may correspond to a TAA, but the trust anchors that are installed clearly do not (e.g., Verisign's trust anchors will be installed by a lot of entities that aren't part of Verisign). > Going back to the definition presented in Chicago: > > A Trust Anchor Administrator (TAA) is an entity which gives trust > anchor instructions to clients. > > This says that anyone can be a TAA, although obviously a particular > client will only listen to one or a small number of TAAs. And if we want to formalize local identification and authorization of the TAA, I suggest introducing the concept of a Trust Store Anchor. Thanks, --David ---------------------------------------------------- David L. Black, Senior Technologist EMC Corporation, 176 South St., Hopkinton, MA 01748 +1 (508) 293-7953 FAX: +1 (508) 293-7786 [EMAIL PROTECTED] Mobile: +1 (978) 394-7754 ----------------------------------------------------