At 4:13 AM -0700 4/16/07, Kyle Hamilton wrote: >I should mention that on the [EMAIL PROTECTED] list, there's been a fair amount >of discussion on this topic. The concept that is put forth is that >the trust anchor is the key -- and any metadata that the key surrounds >itself with (such as a certificate, for ease of trust anchor >distribution) is non-binding.
My reading of the archives is that there is disagreement on this. These are TLS folks who have been forced to live with the silliness of PKIX. I would characterize the sentiment on the list more as "non-binding but often useful". >This gets into the concept of "key continuity management" for an >entity as opposed to hierarchal trust for the entity. This is >unfortunately a concept which is foreign to most X.509 >implementations. Fully agree. The PKIX WG has made even more of a mess of key and cert management than they have with the cert format. >My view? If a trust anchor asserts its validity ending on a given >date, that's a policy decision asserted by that trust anchor (even >though a CA is identified by its name, not by its key). Agree. _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
