Re: Public key validation and Proof of possession

[Russ Housley <housley@xxxxxxxxxxxx>]

Steve:

If I understand your proposal, you are suggesting a certificate 
policy OID that would be included in the certificate (in addition to 
any other certificate policy OID that is appropriate).  This would be 
acceptable to me if it was only used in end-entity certificates.  I 
think it could add complication to certificate policy mapping, which 
is already too messy.

I note that the certificate policy OID does not offer the same 
granularity.  The OID would only be included if the public key 
validation is performed and proof of possession is performed.

Russ

At 12:45 PM 10/26/2005, Stephen Kent wrote:
> Russ,
>
> I think this is a good suggestion, and the extension should be a 
> simple as you suggest.  Relying on this being in a CP is asking a 
> lot in management terms, as you noted.
>
> However, one might also address this by defining an IETF-standard CP 
> that addresses just these issues, and allowing CAs to add that CP to 
> whatever other CP that assert in an cert.  How do you feel about 
> that alternative?
>
> Steve