trusted certificates and trusted repositories

public key related information have certification processes defined,
which can either be done by individuals directly or possibly by some
trusted third party ("TTP") or other institution responsible for the
actual information (in the "TTP" scenario, the institution performing
the certification process has frequently not been the institution that
was actually responsible for the accuracy of the information; the
"TTP" would just certify that they had checked with the agency that
was actually responsible for the information).

the results of the certification process has been the loading of the
certified information into a trusted repository. the trusted
repository could be purely private ... somewhat like an individual's
pgp repository; or possibly some public, online trusted repository.
Another example is the trusted repository of certification authority
public keys shipped in some number of products ... especially browsers
associated with the SSL process.

there was also the scenario that for an offline, disconnected world, a
requirement for certified information (an analog to the old time
letters of credit/introduction from the sailing ship days ... and even
earlier). these were typically read-only copies of some public key
related certified information (that typically resides in some trusted
repository), which were "armored" (with digital signature technology)
for survival in the wild (freely floating around). These are called
digital certificates.

The requirement for the digital certificate (analog of the old-time,
offline letters of credit/introduction), was that the relying party
had no means of their own for directly accessing certified information
... so the other communicating party was presenting a form of
credential along with the communication (again as opposed to the
relying party having their own direct access to such certified
information).

The offline era tends to focus on the resistance of the
credential/certificates to forgery or counterfeiting (degree of
confidence that relying parties could trust the
credential/certificate). A different kind of example is the
educational certificates from diploma mills.

The online era tends to focus on the integrity of the certification
process and the organization providing the information, typical of
online, real-time operation. This moves past the offline era (worried
about whether the credentials/certificates could be forged or
counterfeited) and moved to what was the meaning of the actual
certified information and all aspects of the associated certification
process.

there have been a number of IETF RFCs that revolve around definitions
for respositories for digital certificates. In the trusted respository
scenario, having both trusted respository of the information and the
information also being read-only copy armored for survival in the wild
(freely floating around), would be redundant and superfluous.

In my (actual) RFC summary entries ... (follow the indicated URL),
clicking on the ".txt=nnnn" field, retrieves the actual RFC

http://www.garlic.com/~lynn/rfcidx14.htm#4398

Storing Certificates in the Domain Name System (DNS), Josefsson S.,
2006/03/31 (17pp) (.txt=35652) (Obsoletes 2538) (Refs 1034, 1035,
2246, 2247, 2440, 2693, 2822, 3280, 3281, 3548, 3851, 3986, 4025,
4033, 4034, 4301) (SC-DNS) (was draft-ietf-dnsext-rfc2538bis-09.txt)

http://www.garlic.com/~lynn/rfcidx14.htm#4387

Internet X.509 Public Key Infrastructure Operational Protocols:
Certificate Store Access via HTTP, Gutmann P., 2006/02/07 (25pp)
(.txt=63182) (Refs 2440, 2585, 2616, 2782, 2854, 3156, 3205, 3275,
3280, 3390, 3852, 3875) (was draft-ietf-pkix-certstore-http-09.txt)

http://www.garlic.com/~lynn/rfcidx14.htm#4386

Internet X.509 Public Key Infrastructure Repository Locator Service,
Boeyen S., Hallam-Baker P., 2006/02/03 (6pp) (.txt=11330) (Refs 2559,
2560, 2585, 2782) (was draft-ietf-pkix-pkixrep-04.txt)

-- 
Anne & Lynn Wheeler | http://www.garlic.com/~lynn/