Just finished a cover-to-cover reading of Planning for PKI [1] and it sure cleared up some things for me. Thanks to Richard Levitte for recommending it.
It seems most of the cognitive dissonance I've been having with this PKI stuff is due to the "PKI theoretics" being based upon a pair of assumptions, neither of which obtains in the real world.
Assumption 1: "There is a global X.500 repository, containing all the certificates, so no assumptions need be made on OBTAINING certificates, it suffices to prove that a valid chain of certificates EXISTS"
Assumption 2: "Relying-party software is competent to find all valid certificate chains, so no assumptions need be made on SELECTING certs, it suffices to prove that a valid chain of certificates EXISTS"
As a simple example, I had been unable to discern any operational difference between a bridge CA and a simple hierarchy with the bridge CA at the top. After reading the book, I realize that in fact THERE IS NO DIFFERENCE until you consider REVOCATION. Let L be the local root and B be the bridge root, then when the bridge is the top of a simple hierarchy a local relying party uses the certificates:
+-+------+ +-+------+ |T| | |T| | +-+------+ +-+------+ Making the bridge simply one more entry in | L root | | B root | the "trust list" schema from the book +--------+ +--------+
while for the bridge case it uses:
+-+------+ +-+------+ |T| | |(L root)| +-+------+ +-+------+ In this case the L root can revoke the | L root | | B root | certificate that trusts the bridge +--------+ +--------+
There is no difference here until we talk about revocation, since both configurations trust the same set of certificates, (the ones signed by L) union (the ones signed by B).
Given this, does anybody know any good references on how the various browsers can interact with a local LDAP directory, in terms of fetching certificates and CRLs when needed?
[1] Planning for PKI, Russ Housley and Tim Polk, Wiley, New York, 2001 http://www.amazon.co.uk/exec/obidos/ASIN/0471397024/qid=1095958618/sr=1-12/ref=sr_1_2_12/026-0124672-5623666
-- Charles B (Ben) Cranston mailto: [EMAIL PROTECTED] http://www.wam.umd.edu/~zben
______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]