X.509 / PKI, PGP, and IBE Secure Email Technologies

Anne & Lynn Wheeler lynn at garlic.com
Fri Dec 9 16:53:02 EST 2005


Ed Gerck wrote:
> I believe that's what I wrote above. This rather old point (known to the
> X.509 authors, as one can read in their documents) is why X.509 simplifies
> what it provides to the least possible _to_automate_ and puts all the local and
> human-based security decisions in the CPS.
> 
> (The fact that the CPS is declared to be out of scope of X.509 is both a
> solution and a BIG problem as I mentioned previously.)

i like the explanation that some attempted to give at the acm sigmod
conference in san jose (circa 1992) .... of what was going on in the
x.5xx standards activities; ... a bunch of network engineers trying to
re-invent 1960s database technology ...

the x.509 digital certificates being a stale, static cachable entry of
something in x.500 ldap database ... that was armored for survival in
potentially hostile environment and for relying parties that didn't have
ability to access the real database entry.

cps was something that was needed for trusted third party certification
authority operation ... not for x.509 identity certificate itself. the
issue is when you effectively have these stale, static cacheable,
armored database entries that aren't part of an organization and
business processes that relying parties belong to. traditional access to
database entries (whether you are directly accessing the entry or a
stale, static cached copy of the database entry) ... the business
processes accessing the data and the businesses responsible for the data
are part of the same operation and/or belong to organizations that have
binding contractual relationships.

it is only when you have parties responsible for the information
(trusted third party certification authorities) that are 1) totally
different from the parties relying on the information  and/or 2) the
different parties have no contractual relationships.

one could hypothesize that the creation of CPS were to provide some sort
of substitute for contractual relationship between different
organizations/parties where the relying party has no means of directly
accessing the information and must rely on a stale, static digital
certificate representation (of that information), provided by an
organization that the relying party has no contractual relationship
(just claiming to be a trusted third party certification authority
possibly wasn't enough of a sense of security for some relying parties
and so CPS were invented to provide relying parties a higher sense of
comfort in lieu of having something like an actual contractual
relationship).

that makes CPSs a substitute for contractual relationships when x.509
digital certificates are used for trusted third party certification
authorities where the relying parties and the TTP/CAs are different
organizations.

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com



More information about the cryptography mailing list