AFAIK, there's no uniform standard for classes.
Correct AFAIK, although there are some sort-of conventions (e.g., "class 1" = minimal validation, e.g., via email, "class 4" = use of hardware tokens). Although of course this "sort-of" standardization is exactly what has plagued PKI from the very beginning (e.g., the proliferation of similar but not identical certificate profiles).
It might help a lot if there were. WebTrust doesn't require classes. They test only that a CA does what their CPS says, whatever that is.
The ETSI standards (TS 101 456 and 102 042) do define a reasonably straightforward set of classes, although they don't the use the word "classes" per se. (They refer to "certificate policies.)
Also, the Electronic Authentication Partnership does define a set of standard classes in their "trust framework" working draft:
http://www.eapartnership.org/docs/Trust_Framework_0105.pdf
However... beyond the lack of standardization, what I find problematic about all these documents is that they focus on levels of assurance in isolation, independent of the contexts to which the assurance is actually relevant. It's just rehashing the old PKI practice of focusing on authentication of entity identity as the only issue, and not looking at the actual real-world applications.
Frank
-- Frank Hecker [EMAIL PROTECTED] _______________________________________________ mozilla-crypto mailing list [email protected] http://mail.mozilla.org/listinfo/mozilla-crypto
