[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: About RFC 3280bis

To: david.cooper@xxxxxxxx
Subject: Re: About RFC 3280bis
From: Peter Sylvester <Peter.Sylvester@xxxxxxxxxx>
Date: Wed, 23 Mar 2005 17:25:03 +0100 (MET)
Cc: ietf-pkix@xxxxxxx
List-archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-id: <ietf-pkix.imc.org>
List-unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
Sender: owner-ietf-pkix@xxxxxxxxxxxx


chapter 6.2 has the following phrase: 

   "An implementation that supports multiple trust anchors
   MAY augment the algorithm presented in section 6.1 to further limit
   the set of valid certification paths which begin with a particular
   trust anchor."

I suggest to change this into two independant sentences because
the second part of the sentence also applies if there is only
one trust anchor.   

   "An implementation MAY support multiple trust anchors
    with different sets of initialisation values for
    each trust anchor.

    An implementation MAY augment the algorithm presented in section 6.1
    to further limit the set of valid certification paths which begin 
    with a particular trust anchor."

A second suggestion is to add something like:

    In case of multiple trust anchors, an extended the algorithm
    MUST prohibit uncontrolled usage of different trust anchors
    for the validation of cert path, CRL paths or validation services
    paths.

    In many cases, path validation for the cert, the CRL or a 
    validation service use the same trust anchor, but an extended
    validation algorithm may use different but associated trust 
    anchors for each path.

Peter

Prev by Date: Get your hand clock repliacs todday crud
Next by Date: Tha new rawlex repliccas has finelly arrived bloodshot
Previous by thread: Re: About RFC 3280bis
Next by thread: EuroPKI workshop
Index(es):
- Date
- Thread