Subject: Re: strawman trust model - cross certificates
To: Daniel Carosone <email@example.com>
From: Daniel Carosone <firstname.lastname@example.org>
Date: 05/19/2004 10:16:59
Content-Type: text/plain; charset=us-ascii
On Wed, May 19, 2004 at 09:51:45AM +1000, Daniel Carosone wrote:
> That trust decision is mapped by either installing additional certs in
> the directory, or (preferably) by issuing a cross-certificate to it
> from the host's CA (again, with suitable constraints for purpose) and
> installing that.[*]
> [*] I'm not sure if openssl processes cross certificates, anyone know?
I'm starting to suspect it doesn't, actually.
No matter, in that case what gets signed is a "policy document" that
says "the owner of this system permits stuff signed under this other
key to be installed", and the install tools look for such documents in
some standardised location. Cross certs with particular constraints
and extension oid's are merely one potential form of such generic
I knew I should have taken my own advice and resisted the temptation
to use technology-specific examples.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (NetBSD)
-----END PGP SIGNATURE-----