To:
Keith Moore <moore@cs.utk.edu>
CC:
Greg Hudson <ghudson@MIT.EDU>, keydist@cafax.se
From:
Steve Hanna <steve.hanna@sun.com>
Date:
Thu, 17 Jan 2002 12:04:33 -0500
Sender:
owner-keydist@cafax.se
Subject:
Re: Trusting keys (was Re: looking for draft volunteers)
Keith Moore wrote: > It would be completely, absolutely irresponsible for IETF to > recommend that everyone place trust in a VeriSign-signed root > key - even for casual use. Completely agreed. > > > I think a single framework could accomodate the entire spectrum > > > of trustworthiness vs. pre-verification. The real trick is to > > > provide the user with enough information so that he doesn't place > > > an inappropriate amount of trust in whatever keys he's getting. > > > > I think that this is a very hard problem, similar to the problem of > > allowing multiple DNS roots without creating hopeless confusion. > > I agree that it's a difficult problem, but I don't think it's similar to > the multiple root problem. Overnight I realized that you can't assign > trust values that can be compared to different keys. What you can say > are things like "this key is signed by a key that you trust for purpose > X" and let users (or their superiors) supply the X for a given key. > X might be "casual use" or "XYZ company business" or "XX government > official business" or whatever. This is a hard problem, but not impossible. In fact, the PKIX working group has solved it with the certificate policy extension. Including this extension in a certificate allows you to identify what the subject key should be trusted for. The identifier is an OID. It can be local to a particular organization (like "XYZ company business") or it can be widely understood (like "suitable for casual email"). There's even a way to map between different organizations' OIDs ("U.S. Top Secret implies Canadian Restricted"), although that's rarely used. -Steve