PKI-Light Project Goals/Assumptions/Questions
Initial Preliminary Draft Version: August 1, 2001
Overarching goal - simplify the PKI as much as possible while still enabling
some applications. S/MIME and Web authentication are the early PKI-Light
A good way to explain with PKI-Light is to draw on the idea of technological
innovation vs application procedures. The idea is to use PKI but
without attempting to redo and make correspondingly more complex all of
the existing procedures used our processes.
Revocation: up to the institution. If a CRL pointer exists in the
cert, the CA will issue CRLs and will adhere to the promised next issue
date in the CRL.
We will not specify key usage but may choose to hint at a good default
PKI-Light will not specify a requirement for separate signing and encryption
PKI-Light will not impose a requirement for key escrow. Should we
recommend against it?
Certificate Policy OID. Considerations: skip the oid, issue a null
I2 OID so that people start to think about this, agree on a trivial policy
and issue an OID, etc.
Fully on-line CAs with an appropriate level of system security are OK for
PKI-Light applications. PKI-Light does not specify any particular level
of protection for the PKI-Light campus CA?
Should PKI-light specify the initial level of identity assurance?