[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Comments on <draft-ietf-pkix-crlaia-00.txt>

To: Denis Pinkas <Denis.Pinkas@xxxxxxxx>
Subject: Re: Comments on <draft-ietf-pkix-crlaia-00.txt>
From: Russ Housley <housley@xxxxxxxxxxxx>
Date: Thu, 12 May 2005 10:56:46 -0400
Cc: ietf-pkix@xxxxxxx
In-reply-to: <42832509.5020001@xxxxxxxx>
List-archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-id: <ietf-pkix.imc.org>
List-unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
References: <BF9309599A71984CAC5BAC5ECA6299440235C51B@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx> <42711979.4030201@xxxxxxxx> <6.2.0.14.2.20050429032158.046a1a60@xxxxxxxxxxxxxxxx> <427F609E.6020309@xxxxxxxx> <6.2.1.2.2.20050509112536.05e0e7d0@xxxxxxxxxxxxxxxx> <42805C27.8090209@xxxxxxxx> <6.2.1.2.2.20050510145818.08308340@xxxxxxxxxxxxxxxx> <42832509.5020001@xxxxxxxx>
Sender: owner-ietf-pkix@xxxxxxxxxxxx


Denis:

>>> You say that it is not clear what validation policy needs to be used,
>>> but this is completely irrelevant to the discussion of the CRL AIA
>>> extension.  This extension aid in certification path construction,
>>> not the validation of the path once it is constructed.

>> Not exactly, it could "help" finding a wrong path !

> Not likely.  The signer of the CRL is providing a pointer to their own
> certificate.  Path construction to locate a parent of that certificate
> through a complex PKI might include paths that are acceptable and paths
> that are unacceptable, but the certificate that contains the public key
> needed to validate the signature on the CRL is clearly needed.

The problem is to know if a CRL that has been fetched "somewhere" isadequate for the target certificate. It is not to validate a CRL that hasbeen fetched "somewhere".


You continue to miss the whole point of this document.

The certificate user has already obtained the CRL, but needs thecertificate of the CRL issuer in order to validate the signature on theCRL. That is the scope of this document. You keep trying to make itsomething else.


Russ

Follow-Ups:
- Re: Comments on <draft-ietf-pkix-crlaia-00.txt>
  - From: Denis Pinkas

References:
- RE: Comments on <draft-ietf-pkix-crlaia-00.txt>
  - From: Stefan Santesson
- Re: Comments on <draft-ietf-pkix-crlaia-00.txt>
  - From: Denis Pinkas
- Re: Comments on <draft-ietf-pkix-crlaia-00.txt>
  - From: Russ Housley
- Re: Comments on <draft-ietf-pkix-crlaia-00.txt>
  - From: Denis Pinkas
- Re: Comments on <draft-ietf-pkix-crlaia-00.txt>
  - From: Russ Housley
- Re: Comments on <draft-ietf-pkix-crlaia-00.txt>
  - From: Denis Pinkas
- Re: Comments on <draft-ietf-pkix-crlaia-00.txt>
  - From: Russ Housley
- Re: Comments on <draft-ietf-pkix-crlaia-00.txt>
  - From: Denis Pinkas

Prev by Date: Re: Comments on <draft-ietf-pkix-crlaia-00.txt>
Next by Date: Re: key usage - key encipherment or data encipherment
Previous by thread: Re: Comments on <draft-ietf-pkix-crlaia-00.txt>
Next by thread: Re: Comments on <draft-ietf-pkix-crlaia-00.txt>
Index(es):
- Date
- Thread