On 09/04/2012 04:33 PM, Adam Langley wrote: > On Tue, Sep 4, 2012 at 1:13 PM, Tim Moses <tim.mo...@entrust.com> wrote: >> Please take a moment to look it over and comment. I need your help to >> correct and complete it. > > I'm afraid that, while I lovely use of ASCII-art, I find the document > very hard to understand. If I didn't already know what it was trying > to say, I don't believe that I'd have a hope of understanding it.
while i think we need some kind of taxonomy/shared vocabulary like this document is trying to introduce, I'm afraid i have to echo Adam's sentiment here. The terminology and the ascii artwork seem confusing rather than enlightening. There are also some curious inconsistencies in this document. For example, section 3.1 ("Client Application uses OS root store") says "[the certificate user software] may then apply additional checks, such as checking that the certificate subject's domain name matches that requested by the certificate user." But surely that's also the case in section 2 ("Basic trust model") and the other 3.x sections? Also, section 3.8 ("The certificate user directly trusts a certificate-holder certificate") says: Clearly, in this case, the user does not benefit from any of the assurances normally provided by the policy management authority, the root CA, or the issuing CA. 3.7 contains similar language, but nowhere else in the document are any "assurances" mentioned. What do users generally expect from these assurances? Perhaps such things should be mentioned specifically before being referenced? Arguably, the same section could also say "In this case, the user's connections cannot be compromised by any flaws in the validation and certification processes enacted by the policy management authority, the root CA, or the issuing CA." i'm not sure one text is in any way more correct than the other, but it seems odd to have just the one perspective presented. Regards, --dkg
signature.asc
Description: OpenPGP digital signature
_______________________________________________ wpkops mailing list wpkops@ietf.org https://www.ietf.org/mailman/listinfo/wpkops