Re: I-D ACTION:draft-ietf-pkix-rfc3770bis-01.txt

[Peter Sylvester <Peter.Sylvester@xxxxxxxxxx>]

Some more remaks:

1 ***

text says:

1.3. Abstract Syntax Notation

   All X.509 certificate [X.509] extensions are defined using ASN.1
   [X.660].

and:

   [X.660]     ITU-T Recommendation X.660 Information Technology - ASN.1
               encoding rules: Specification of Basic Encoding Rules
               (BER), Canonical Encoding Rules (CER) and Distinguished
               Encoding Rules (DER), 1997.

this looks strange to me. The encoding rules are not the asn1 syntax.

Suggestion: 

remove 1.3 and the reference. 

2 ***

   If a certificate contains a key usage extension, the KeyUsage bits
   that are needed depends on the EAP method that is employed; however,
   the keyCertSign bit and the cRLSign MUST NOT be associated with EAP
   method end entity certificates.

This means that you cannot have a certificat WITHOUT keyUsage?
Or, in case of a certificate without keyUsage, you could use it
for CrlSigning? 

This restriction is new, and I don't see why this is necessary.
I am not sure, but I don't know of any other purpose that has
a restriction like this, and current scvp specs don't allow to
check for this (you cannot specify MUST NOT). 

suggestion, remove the second half sentence. 


3 *** chapter two should read IMO:

2. EAP Extended Key Usage Values

   RFC 3280 [PROFILE] specifies the extended key usage X.509 certificate
   extension.  The extension indicates one or more purposes for which
   the certified public key may be used.  

   This specification defines two KeyPurposeId values: one for EAP over
   PPP, and one for EAP over LAN (EAPOL).  Inclusion of the EAP over PPP
   value indicates that the certified public key is appropriate for use
   with EAP in the PPP environment, and the inclusion of the EAPOL value
   indicates that the certified public key is appropriate for use with
   the EAP in the LAN environment.  Inclusion of both values indicates
   that the certified public key is appropriate for use in either of the
   environments.

      id-kp-eapOverPPP  OBJECT IDENTIFIER  ::=  { id-kp 13 }

      id-kp-eapOverLAN  OBJECT IDENTIFIER  ::=  { id-kp 14 }

   The extended key usage extension MAY, at the option of the
   certificate issuer, be either critical or non-critical.

   If the extended key usage is present in a certificate,
   Certificate using applications MAY require that a particular purpose
   XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
   (such as id-kp-eapOverPPP or id-kp-eapOverLAN) be indicated in order
   for the certificate to be acceptable to that application.

   If a certificate contains a key usage extension, the KeyUsage bits
   that are needed depends on the EAP method that is employed.
   There is currently no method that require the usage of the keyCertSign
   or the cRLSign bit to be set.  

with the XXXX a little bit more specific. 

4 *** The OID arcs should be imported from 


IMPORTS

   id-pe, id-kp 
   FROM PKIX1Explicit88 { iso(1) identified-organization(3)
            dod(6) internet(1) security(5) mechanisms(5) pkix(7)
            id-mod(0) id-pkix1-explicit(18) }

   id-aca FROM
   PKIXAttributeCertificate {iso(1) identified-organization(3) dod(6)
                internet(1) security(5) mechanisms(5) pkix(7) id-mod(0)
                id-mod-attribute-cert(12)}


peter