Subject: Re: strawman trust model - cross certificates
To: Daniel Carosone <>
From: Daniel Carosone <>
List: tech-userlevel
Date: 05/19/2004 10:16:59
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Wed, May 19, 2004 at 09:51:45AM +1000, Daniel Carosone wrote:
> That trust decision is mapped by either installing additional certs in
> the directory, or (preferably) by issuing a cross-certificate to it
> from the host's CA (again, with suitable constraints for purpose) and
> installing that.[*]
> [*] I'm not sure if openssl processes cross certificates, anyone know?

I'm starting to suspect it doesn't, actually.

No matter, in that case what gets signed is a "policy document" that
says "the owner of this system permits stuff signed under this other
key to be installed", and the install tools look for such documents in
some standardised location.  Cross certs with particular constraints
and extension oid's are merely one potential form of such generic

I knew I should have taken my own advice and resisted the temptation
to use technology-specific examples.


Content-Type: application/pgp-signature
Content-Disposition: inline

Version: GnuPG v1.2.4 (NetBSD)