A point related to a topic that interests Peter. In section 3.3 the text states:“Conforming SCVP server implementations MUST process the requestorRef value if present”.This is incorrect, since it is only a requirement if the SCVP server is performing relaying.
Good question, here is one thought. It could occur that a server was erroneously presented with a referencethat carries its own id. If this came from another server that relayed to it,
the final response may have two authentication envelopes with identical identifiers. Or, the responder field of this response would be the same as the one that will further down encapsulate it. C -> A(1) -> B -> A(2) B receives response from A2, ancapsulates or relays it to A1, and A1 includes this in its respones to C. If I have to keep this structure for some long term, I might have problems to explain the difference between A1 and A2. I don't know whether this really presents a problem. maybe someone on the pkix list has an opinion, I'll CC it. --To verify the signature, see http://edelpki.edelweb.fr/ Cela vous permet de charger le certificat de l'autorité; die Liste mit zurückgerufenen Zertifikaten finden Sie da auch.
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature