[standards-jig] Digital ID support in Vista

dirkx at covalent.net dirkx at covalent.net
Wed Apr 10 11:11:47 UTC 2002


On Wed, 10 Apr 2002, Ashvil wrote:

> >  Why  didn't you use the existing method?

> If you mean the PGP security, that would not work for us. We wanted the
> Presence to be signed with a Digital Certificate that was signed by a
> Certifying Authority.

> As far as I know, the PGP security does not have Certifiying Authorities
> structure in place like Versign, etc.

A 'Certificate Authority' is essentially an out of band agreement between
parties who agree that they all trust a certain CA.

There is nothing stopping you in the PGP technology to designate (and ship
bundled with your code) a certain set of key ID's and verify that these
are present in any certificate (chain).

When it comes down to code; really all wich makes a CA a CA is wether his
or her key gets put in the 'ca-bundle' file the software vendor ships with
the product; or which the user puts in place. The RSA and OpenSSL
libraries know surprizingly little about the concept of a CA - all they do
is follow signing tree's up until they hit a cert which they have in their
out-of-band configured list of cert's acceptable/trusted by the user.

Dw




More information about the Standards mailing list