At 3:14 PM -0800 2/9/12, Joe St Sauver wrote:
Steve commented:
#I think we are in agreement. CAs that are not authoritative for asserted
#identities are as bad as federated trust entities with similar properties.
I tend to be a concrete thinker, so I hope you'll indulge me for a minute
in a concrete exercise related to your assertion.
no problem.
-- Assume a hypothetical CA is operated by a national government, and it
issues client certs to citizens of that nation. I belive that this would
like be an example of a CA that is authoritative for the identities that
it is asserting -- true? (We'll set aside issues of how governments
bootrap a definitive identification document in the potential absence
of an existing definitive identification document)
yes, this is a good example, if the certs convey the identity of the
individuals as citizens of that country.
-- Would a hypothetical CA operated by a corporation, issuing client certs
to its employees, also be authoritative for its employees from your
point of view? Does it matter if they assert a name or a company email
address or ? (We'll set aside the possibility that credentials might
be able to be issued by the corporation without the involvement of the
employee nominally associated with that credential)
A CA operated by a company is the right CA to identity individuals as
employees of that company. if the company operates it's domain and
manages mailboxes for its employees in that domain, then it is he
right CA to issue certs with
employee e-mail addresses.
-- What's the solution for the person who lacks a authoritative source
for a certificate? Would it be better if they simply couldn't get a
cert? Or is there some road that they might travel that might allow
them to find (like Dorothy and the Wizard of Oz), someone who could
become authoritative for them?
Note that the citizen and employee certs are not universally
acceptable for all transactions. The citizen cert is analogous to a
passport, and I can't use a passport in lieu of a driver's license or
an Amex card. We need different certs to express different forms of
identity. So, I think the right question is what classes of certs do
people need, for which classes of transactions. If I can get a
driver's license or state-issued ID card, then I ought be be able to
get the same credential in cert format.
So, If a person has no e-mail address, he ought not get a cert with
an email address in it. If you have a Gmail address, then Google is
the right entity to issue a cert with ONLY an e-mail address in it.
Given this explanation, I don't understand you question. it sounds
like you are thinking of a one cert per person model, which is the
antithesis of what I suggested.
-- What if the authoritative source is unwilling to issue credentials to
one of its subjects/employees/members? (e.g., think of some individuals
who have been denied the right to travel in some countries in the past)
Should there be the certificate equivalent of a Nansen passport for
those who are effectively stateless?
Depends. If a company will not issue certs to its employees, then they can't
be reliably certified as employees of the company in question.
Nansen passports are not issued anymore, but the moral equivalent is
issued by the UN today. Such a cert would not identity the holder as
a citizen of a specific country, which is the feature of a passport.
Or should we just be trusting a certification authority to do what it
says it will do in its CPS, perhaps just confirming that an email address
asserted in a certificate request is indeed accessible by the party that's
requesting a cert with that "identity"?
Trusting a CA based on its CPS, without an ability to constrain the
scope of identities that the CA can certify is dangerous. This is why
we have the current mess of
Steve
_______________________________________________
therightkey mailing list
therightkey@ietf.org
https://www.ietf.org/mailman/listinfo/therightkey
