delegating SSL certificates
Peter Gutmann
pgut001 at cs.auckland.ac.nz
Sun Mar 16 06:26:07 EDT 2008
travis+ml-cryptography at subspacefield.org writes:
>I would think this would be rather common, and I may have heard about certs
>that had authority to sign other certs in some circumstances...
The desire to do it isn't uncommon, but it runs into problems with PKI
religious dogma that only a CA can ever issue a certificate. For example I
proposed this on the PKIX working group nearly a decade ago, specifically the
ability for end entities with signing certs to issue their own encryption
certs, since there's absolutely no need to involve a CA in this. I've still
got the draft online at
http://www.cs.auckland.ac.nz/~pgut001/pubs/autonomous.txt. The WG chair's
response was "we don't want to turn X.509 into PGP", and that was the end of
it. The grid computing folks eventually got something through in the form of
proxy certificates for the Globus GSI, but that probably isn't what you're
looking for.
Peter.
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list