In an earlier version of the diagram I had one more level of certificate between the bridge certificates and the end-user certificates, but I was trying to make it simpler. If there is one more certificate between (Bridge)QSign and (QSign)End User it could be supplied by the Q offerer.
The cost here seems to be that the certificate marked (1) needs to be available to the relying party, and if the P PKI participates in multiple bridges, then there are multiple certificates in this class. Similarly, if the Q PKI participates in multiple bridges, a Q offerer might have to send along multiple bridge certificates.
This means that when a PKI decides to participate in another bridge, certificates have to be disseminated into the client software. This does not scale well. Finding them in a directory seems like a good alternative.
In this arrangement I could see there being three separate LDAP repositories: one for PKI P, another for PKI Q, and a third for the bridge itself.
BTW my ultimate goal: my pointy-headed boss says "we will cross-certify with the Higher Ed bridge, which will then cross-certify with the Federal bridge, then our researchers will be able to submit signed grant applications to NIH."
Now I'm just trying to see the shape in which this could possibly ACTUALLY WORK...
Richard Levitte - VMS Whacker wrote:
> In message <[EMAIL PROTECTED]> on Thu, > 07 Oct 2004 15:20:52 -0400, > Charles B Cranston <[EMAIL PROTECTED]> said:
>> So, this is perhaps the most simple "bridge" PKI arrangement: >> +-+-----------+ +-+-----------+ >> |T| | |T| | >> +-+-----------+ +-+-----------+ >> | P Root +--------+ +-------+ Q Root | >> +-------------+ | | +-------------+ >> v v >> +------+------+ +------+------+ >> (1) | (P Root) | | (Q Root) | >> +-------------+ +-------------+ >> | Bridge +--+--+ Bridge | >> +-------------+ | +-------------+ >> | >> +---------+---------+ >> v v >> +------+------+ +------+------+ >> | (Bridge) | | (Bridge) | >> +-------------+ +-------------+ >> +--------+ P Sign | | Q Sign +--------+ >> | +-------------+ +-------------+ | >> v v >> +------+------+ +------+------+ >> | (P Sign) | | (Q Sign) | >> +-------------+ +-------------+ >> | P End User | | Q End User | >> +-------------+ +-------------+
> That diagram throws me off. I've a hard time figuring out what > represents certificates, exactly, and it looks like you MIGHT imply > that the a bridge certificate could be used directly to verify EE > certificates, which is the wrong way to go about it.
Does the interposition of another level above the end-user certificate address this complaint? Basically I'm trying to understand the text in RFC3280 describing AIA, which seems to refer to the CA that is TWO levels up from the certificate containing the AIA??
-- Charles B. (Ben) Cranston mailto:[EMAIL PROTECTED] http://www.wam.umd.edu/~zben
______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
