Subject: Re: strawman trust model - cross certificates
To: Daniel Carosone <dan@geek.com.au>
From: Daniel Carosone <dan@geek.com.au>
List: tech-userlevel
Date: 05/19/2004 10:16:59
--nywXBoy70X0GaB8B
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Wed, May 19, 2004 at 09:51:45AM +1000, Daniel Carosone wrote:
> That trust decision is mapped by either installing additional certs in
> the directory, or (preferably) by issuing a cross-certificate to it
> from the host's CA (again, with suitable constraints for purpose) and
> installing that.[*]
>=20
> [*] I'm not sure if openssl processes cross certificates, anyone know?

I'm starting to suspect it doesn't, actually.

No matter, in that case what gets signed is a "policy document" that
says "the owner of this system permits stuff signed under this other
key to be installed", and the install tools look for such documents in
some standardised location.  Cross certs with particular constraints
and extension oid's are merely one potential form of such generic
documents.

I knew I should have taken my own advice and resisted the temptation
to use technology-specific examples.

--
Dan.

--nywXBoy70X0GaB8B
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (NetBSD)

iD8DBQFAqqd7EAVxvV4N66cRAokBAKDTNifRTvVJRKxot+UDG7o+f0Ln9ACgkYmQ
tLgYbK0DQYmUuxQj877IJ1U=
=l+k9
-----END PGP SIGNATURE-----

--nywXBoy70X0GaB8B--