-----BEGIN PGP SIGNED MESSAGE-----
From: Rich Salz <rsalz@osf.org> Date: Wed, 29 Nov 1995 08:54:33 -0500
Bingo! This is one of the hard parts of certificate authorities; just what are you attesting to? The American Bar Association has a big document for public review that addresses what this might mean; there are a couple of RFC's that specify CA policies (one from COST in Sweden, I think), and RSA and/or Verisign will give you their policy in hardcopy.
In x.509v3 certificates, there is an extensible field where the key-signer can put arbitrary data. The intent is apparently that you put the ISO object-ID (you know, those funny 1.3.2.11.... numbers) of the policy document.
Ah, yes. Here's another example of the problem with ASN.1. That field could equivalently be just a URL for the policy document (or, if short enough, the policy itself). However, ASN.1 seduced folks into indirecting this through some object ID -- bringing all these documents into the one master hierarchy of things in the world. Some people just like hierarchies, I guess. :)
There is, of course, no way to interpret the semantics of this electronically.
Of course not. In the end, a human needs to make the decision based on ASCII text.
It will be interesting to see how various companies address this issue, for example as they start to support arbitrary CA's in browsers or servers while doing commerce over the web.
Yup. - Carl +--------------------------------------------------------------------------+ |Carl M. Ellison cme@tis.com http://www.clark.net/pub/cme | |Trusted Information Systems, Inc. http://www.tis.com/ | |3060 Washington Road PGP 2.6.2: 61E2DE7FCB9D7984E9C8048BA63221A2| |Glenwood MD 21738 Tel:(301)854-6889 FAX:(301)854-5363 | +--------------------------------------------------------------------------+ -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBML3JY1QXJENzYr45AQHWIwP/VzoZuonIoMbIYHaA+noZpwnmNnxXc+jx elJNQkHglyE7U1pBfC90s8IewujeG5T97v5g5e9bAXi/gysIPoguAXYSdIufvjz+ +WpCDrxn4UlfRzfOrTOgpZ1KQwPUllywOo1Yehd2h35ctJ8P7sa27mS/AEyET85E rUvKlVpN/04= =EhTO -----END PGP SIGNATURE-----