From: Rich Salz <rsalz@osf.org>
Date: Wed, 29 Nov 1995 22:09:51 +0800
To: frantz@netcom.com
Subject: Re: The future will be easy to use
Message-ID: <9511291354.AA16998@sulphur.osf.org>
MIME-Version: 1.0
Content-Type: text/plain


>There is more to this problem than how it is that I trust the key.  There
>is also what I trust it for.  ...
>It is hard to see how to record the information about how much I trust the
>receipent's systems security.

Bingo!  This is one of the hard parts of certificate authorities; just
what are you attesting to?  The American Bar Association has a big document
for public review that addresses what this might mean; there are a couple
of RFC's that specify CA policies (one from COST in Sweden, I think), and
RSA and/or Verisign will give you their policy in hardcopy.

In x.509v3 certificates, there is an extensible field where the key-signer
can put arbitrary data.  The intent is apparently that you put the ISO
object-ID (you know, those funny 1.3.2.11.... numbers) of the policy
document.

There is, of course, no way to interpret the semantics of this electronically.
It will be interesting to see how various companies address this issue,
for example as they start to support arbitrary CA's in browsers or servers
while doing commerce over the web.
	/r$