On 09/04/2012 04:33 PM, Adam Langley wrote: > On Tue, Sep 4, 2012 at 1:13 PM, Tim Moses <tim.mo...@entrust.com> wrote: >> Please take a moment to look it over and comment. I need your help to >> correct and complete it. > > I'm afraid that, while I lovely use of ASCII-art, I find the document > very hard to understand. If I didn't already know what it was trying > to say, I don't believe that I'd have a hope of understanding it.
while i think we need some kind of taxonomy/shared vocabulary like this
document is trying to introduce, I'm afraid i have to echo Adam's
sentiment here. The terminology and the ascii artwork seem confusing
rather than enlightening.
There are also some curious inconsistencies in this document. For
example, section 3.1 ("Client Application uses OS root store") says
"[the certificate user software] may then apply additional
checks, such as checking that the certificate subject's domain name
matches that requested by the certificate user."
But surely that's also the case in section 2 ("Basic trust model") and
the other 3.x sections?
Also, section 3.8 ("The certificate user directly trusts a
certificate-holder certificate") says:
Clearly, in this case, the user does not benefit from any of the
assurances normally provided by the policy management authority, the
root CA, or the issuing CA.
3.7 contains similar language, but nowhere else in the document are any
"assurances" mentioned. What do users generally expect from these
assurances? Perhaps such things should be mentioned specifically before
being referenced?
Arguably, the same section could also say "In this case, the user's
connections cannot be compromised by any flaws in the validation and
certification processes enacted by the policy management authority, the
root CA, or the issuing CA." i'm not sure one text is in any way more
correct than the other, but it seems odd to have just the one
perspective presented.
Regards,
--dkg
signature.asc
Description: OpenPGP digital signature
_______________________________________________ wpkops mailing list wpkops@ietf.org https://www.ietf.org/mailman/listinfo/wpkops
