[ppml] Policy Proposal 2007-1 - Staff Assessment
Fergie
fergdawg at netzero.net
Sat Apr 14 02:12:17 EDT 2007
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
- -- Randy Bush <randy at psg.com> wrote:
>> Sorry for jumping into the middle of the discussion, but just a
>> question in response to something Bill said w.r.t. x.509 -- this
>> is an issue that continues to crop up on several fronts, yet there
>> seems to be no real x.509 solution in sight.
>
>not exactly. to quote russ housley from a different room where related
>issues are being discussed
>
>> There are two mechanisms in X.509 that might be useful:
>>
>> Cert Policy - Here an OID says that the certificate was issued in
>> accordance with a particular policy, and then the application makes
>> sure that the certification path is valid under that policy.
>>
>> EKU - Here an OID is carried in the extended key usage extension to
>> indicate the applications that the certificate was intended to support.
>
>these are not magic panacae. but they are a path that might be trod.
>
Well, that's all well and good, in a manner of speaking.
What would be _better_ is a convergence of a sane cert policy and
a reasonable PKIX infrastructure -- many other things could work
from this (e.g. IRR policy frobs, DNSSEC, SIDR, and even SAVA), but
I'm aware this is not the right forum for those discussions.
My point is this: an effort should be made to use an extensible
certificate/certification/validation architecture which can also
be extended for other technical mechanisms in the plumbing.
If you go down the path of least resistance (a la PGP), then you've
pretty much cornered yourselves into a semi- non-extensible mechanism
that is pretty much "limited" w.r.t. how it could be used in a
larger scheme.
Would you agree?
Or does it really matter.
I'm just thinking out loud here...
Thanks,
- - ferg
-----BEGIN PGP SIGNATURE-----
Version: PGP Desktop 9.6.0 (Build 214)
wj8DBQFGIHCeq1pz9mNUZTMRAmEMAJ4weAjOpBf9v2/0fcz5xJdlqofhrwCeKvG8
TTAKIieYiXaAp8KRNraA5+w=
=gNqa
-----END PGP SIGNATURE-----
--
"Fergie", a.k.a. Paul Ferguson
Engineering Architecture for the Internet
fergdawg(at)netzero.net
ferg's tech blog: http://fergdawg.blogspot.com/
More information about the ARIN-PPML
mailing list