RE: Public key validation and Proof of possession

["Stefan Santesson" <stefans@xxxxxxxxxxxxx>]

Steve,

Unfortunately this is not compliant with current path validation
algorithm.

When you test a certificate for a number of acceptable policies, path
validation will accept the certificate if just one of these policies are
supported by the path.

There is no way to tell the standard path validation that a certificate
is valid if a combination of policies are supported (e.g. IETF policy A
+ policy B)

All policies expressed in a certificate must represent a complete policy
declaration. Partial policies are not supported.


Stefan Santesson
Program Manager, Standards Liaison
Windows Security
 

> -----Original Message-----
> From: owner-ietf-pkix@xxxxxxxxxxxx
[mailto:owner-ietf-pkix@xxxxxxxxxxxx]
> On Behalf Of Stephen Kent
> Sent: den 26 oktober 2005 18:45
> To: Russ Housley
> Cc: ietf-pkix@xxxxxxx
> Subject: Re: Public key validation and Proof of possession
> 
> 
> Russ,
> 
> I think this is a good suggestion, and the extension should be a
> simple as you suggest.  Relying on this being in a CP is asking a lot
> in management terms, as you noted.
> 
> However, one might also address this by defining an IETF-standard CP
> that addresses just these issues, and allowing CAs to add that CP to
> whatever other CP that assert in an cert.  How do you feel about that
> alternative?
> 
> Steve