On 17/12/08 02:42, Nelson B Bolyard wrote:
Frank Hecker wrote:
* Per German law S-TRUST issues one new root CA certificate for every
year, with each root cert having a 5-year lifetime.
Have they legislated that pi is 3 again?
Welcome to Europe, we hope you enjoyed your flight, and will travel on
pi airlines around the globe again :)
Do the new certs for S-TRUST have the same key, or do they have
different keys? If they have different keys, do they also have different
subject names?
Do they have different Subject Key ID (SKID) extension values?
Do the certs they issue have Authority Key ID (AKID) extensions?
Certainly, these questions I would like answered too, and I wonder if we
can get them, and the answers onto the wiki?
This whole thing makes little sense, and is a pretty big concern.
This is partly a cultural thing, and partly a case of "be careful what
you wished for."
In Germany, the politicians and bureaucrats bought into the PKI thing in
a big way, and proceeded to make it part of their business. Now, in
Germany, unlike in other places, they tend to do things only when there
is a law to back them up. In (say) America, they tend to do things when
there is no law saying you can't. It's a cultural thing.
The law was created in typical European style: EU directive => enacting
local law => regulator and regulations => "private market" controls,
that last step being somewhat familiar as audits, etc.
Now, as we know, a lot of the stuff that PKI people said was hopeful,
written down in advance of any large scale real world implementation.
There are many gaps. When the Germans (or anyone else) came along and
tried to regulate it, they had to fill in the gaps, because in their
view, there should be no gaps, there should a law plus regulation. The
obvious happened: they filled in some gaps, but their solution was
different to anyone else's.
Consider above, that the EU directive is 6 pages long. That means there
are substantial gaps in how to do things, and therefore there are
differences in the interpretations of the national perspectives.
One final gotcha to make it all the more delicious: in the EU directive
(and therefore in the national laws) it says that all qualified
implementations from other countries have to be accepted without
question in your local country. Which means that which is explicitly
banned in one country can be acquired from neighbouring country, and
must be accepted, even if banned in national law. Yes, this has cause
wonderful clashes.
Now, what do you do about it? Mozo is in a difficult position. As we
have discussed in this group before, Mozo's principle is to pass these
questions across to the standards committee. For sake of argument, this
would be the PKIX committee.
However, national law trumps standards committees.
I wish it were different. But, it isn't.
iang
_______________________________________________
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
