[636] in WWW Security List Archive
Re: Re- Hierarchies and Webs of
daemon@ATHENA.MIT.EDU (Jason Dawes)
Wed Apr 26 05:01:31 1995
From: Jason Dawes <dawes@dstc.qut.edu.au>
To: joe_tardo@genmagic.com (Joe Tardo)
Date: Wed, 26 Apr 1995 15:03:12 +1000 (EST)
Cc: www-security@ns2.rutgers.edu
In-Reply-To: <n1413306289.86763@qm.genmagic.com> from "Joe Tardo" at Apr 25, 95 01:08:00 pm
Errors-To: owner-www-security@ns2.rutgers.edu
>
> The "hierarchical approach" you are referring to is that used by PEM, based on
> X.509. This builds on a lot of structure to constrain what you refer to as
> "transitivity".
>
> With the "hierarchical approach," the assumption is that interior nodes are
> CA's and leaf nodes are not. From the naming attributes, you can tell
> syntactically what (e.g., OU= vs. CN=) names are which. This lets you
> "parse" a certificate chain, assuming, of course, that the CA's only certify
> proper CA's further down the food chain, where "proper" means "according to
> understood policy".
>
Unfortunately, X.509/PEM imposes an X.500 naming hierarchy on the trust
hierarchy, which may not follow the local policy at all. Version 2 of PEM
has gone some way to allieviate this, using multiple root level CA's, but
the problem still exists.
Work needs to be done on the definitions of "security policy" and possibly
some sort of standardised "policy meta-language", to allow transitive trust
to be fully realised.
--
===============================================================================
Jason Dawes | Internet: dawes@dstc.qut.edu.au
Research Scientist | Phone: +61-7-864-5337
Co-operative Research Centre for | FAX: +61-7-864-1282
Distributed Systems Technology. | URL: http://www.dstc.edu.au/intro.html
===============================================================================
