On Wed, 23 Nov 2005, Steven M. Bellovin wrote:
I think the problem is both easier and harder than painted. First, you need a business agreement that you will accept each others' assertions of member identities, aka certificates. Second, you have to agree on a common format and meaning for certain fields, including thinks like CRLs.
I'm not sure if I think the technical specs or the business agreement are the hard parts...
Ah the business issues start bubbling to the surface. Have you noticed for various reasons network service providers don't like to "sign" or "certify" the business activities of other entities. In the 1990's several network service providers (AT&T, BBN, etc) established PKIs, but now very few network service provider will "certify" S/MIME e-mail, SSL web, or other type of third-party activity. Although techincal folks may think its just about math, unfortunately some people think certificates and signatures mean more than just mathmatical formulas. I'm a bit confused why people think network service providers will be willing to "certify" transitive trust relationships about business relationships between third-parties.