[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: 3280bis: CRL validation

To: "ietf-pkix@xxxxxxxx" <ietf-pkix@xxxxxxxx>, "Santosh Chokhani" <chokhani@xxxxxxxxxxxx>
Subject: Re: 3280bis: CRL validation
From: "Denis Pinkas" <denis.pinkas@xxxxxxxx>
Date: Mon, 13 Jun 2005 10:13:35 +0100
List-archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-id: <ietf-pkix.imc.org>
List-unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
Sender: owner-ietf-pkix@xxxxxxxxxxxx

Santosh,

Since it took you less thah 15 minutes to reply, it means that you did not pay 
enough attention to the content of my short message.  :-)

>Denis,

>We may be solving different problems.  

Certainly. You try to solve a more complex problem that belongs to the case b) category.
Once case a) is solved, then we can talk of the "zillions" cases b).

> I am solving the problem of names not being unique.  

You would have to be more specific so that I can really make sure what you mean here.

> There is no need or benefit to adding a new extension.

As far as I am concerned, I am using currently defined extensions.

>May be you are proposing to list the names of the CA's in the path in this
>extension.  

This was my proposal to solve the "zillions cases", but not to solve case a).

> If so, the solution does not fit today's extensions and lacks
>agility of the algorithm I proposed and has the same or greater complexity.

For case a), one single name is necessary. That name cannot be ambiguous 
since it can only be given by the CA that has issued the target certificate.  

My point is the following:

"For case a), the name(s) contained in certificateIssuer MUST be certified 
by the CA that has issued the certificate where the extension appears".

Denis

>It will not reduce the complexity since the same matching will be requiring.
>
>You saying that you do not understand my posting is akin to turning a deaf
>ear to a discussion.
>
>-----Original Message-----
>From: owner-ietf-pkix@xxxxxxxxxxxx [mailto:owner-ietf-pkix@xxxxxxxxxxxx] On
>Behalf Of Denis Pinkas
>Sent: Friday, June 10, 2005 12:55 PM
>To: ietf-pkix@xxxxxxxx; Santosh Chokhani
>Subject: Re: RE: 3280bis: CRL validation
>
>
>
> >Denis,
>
>>What is your solution?
>
>There are two cases to consider for CRL issuers.
>
>  a) the CRL Issuer issues revocation information for a single CA;
>  b) the CRL Issuer issues revocation information for more than one CA.
>
>Case a) is simple, while case b) is more much complex (this is the "zillions
>of cases").
>
>We may have a simple and secure rule for case a). 
>The certificateIssuer extension from a certificate is defined as :
>
>     certificateIssuer ::= GeneralNames
>
>with 
>
>     certificateIssuer ::= GeneralNames
>
>with
>
>     GeneralNames ::= SEQUENCE SIZE (1..MAX) OF GeneralName
>
>In that case the name(s) contained in certificateIssuer MUST be certified by
>the CA that has issued the certificate where the extension appears.
>
>This means that the CRL Issuer can only be nominated by the CA that has
>issued the certificate.
>
>Denis

Follow-Ups:
- RE: 3280bis: CRL validation
  - From: Santosh Chokhani

Prev by Date: Defining an SRV RR Other name in pkix
Next by Date: RE: 3280bis: CRL validation
Previous by thread: RE: RE: 3280bis: CRL validation
Next by thread: RE: 3280bis: CRL validation
Index(es):
- Date
- Thread